Managing ACIs With ldapmodify

You can create access control instructions (ACIs) manually using LDIF statements, and add them to your directory by using the ldapmodify command. Because ACI values can be very complex, it is useful to view existing values and copy them to help create new ones.

For additional sample ACIs to the ones illustrated here, see Access Control Usage Examples.

To View ACI Attribute Values

ACIs are stored as one or more values of the aci attribute on an entry. The aci attribute is a multivalued operational attribute that can be read and modified by directory users, and should itself be protected by ACIs.

Administrative users are usually given full access to the aci attribute.

• View the values of the aci attribute by running the following ldapsearch command:

  $ ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
  -b entryDN -s base "(objectclass=*)" aci

  The result is LDIF text that you can copy into a new LDIF ACI definition for editing. Because the value of an ACI is a long string, the output from the ldapsearch operation is likely to be displayed over several lines, with the first space being a continuation marker. Take this into account when copying and pasting the LDIF output.

Next Steps

To view the effect of an ACI value, in terms of the permissions that it grants or denies, see Viewing Effective Rights.

To Add an ACI

You can add an ACI by specifying the ACI in an LDIF file and then applying the LDIF file with the ldapmodify command. The LDIF file must contain one or more aci attributes, each of which is composed of the aci: prefix followed by the ACI specification. For more information, see ACI Syntax in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.

1. Create the ACI in an LDIF file.

   The following sample LDIF file (aci.ldif) adds an ACI that grants a particular user (csmith) full access rights to the directory:

   dn: ou=people,dc=example,dc=com
   changetype: modify
   add: aci
   aci: (targetattr="*")(version 3.0; acl "give csmith full rights"; allow(all)
   userdn =  "ldap:///uid=csmith,ou=People,dc=example,dc=com";)

2. Use the ldapmodify command to apply the ACI to the directory.

   The following command applies the ACI contained in the aci.ldif file to the directory:

   $ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \
     --filename aci.ldif
   Processing MODIFY request for ou=people,dc=example,dc=com
   MODIFY operation successful for DN ou=people,dc=example,dc=com

To Remove an ACI

You can remove an ACI by specifying its value in an LDIF file, and then removing the value with the ldapmodify command.

1. Remove the ACI in an LDIF file.

   The following sample LDIF file (remove-aci.ldif) removes the ACI that was added in the previous procedure:

   dn: ou=people,dc=example,dc=com
   changetype: modify
   delete: aci
   aci: (targetattr="*")(version 3.0; acl "give csmith full rights"; allow(all)
   userdn =  "ldap:///uid=csmith,ou=People,dc=example,dc=com";)

2. Use the ldapmodify command to apply the change to the directory.

   The following command applies the changes contained in the remove-aci.ldif file to the directory:

   $ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \
   --filename remove-aci.ldif
   Processing MODIFY request for ou=people,dc=example,dc=com
   MODIFY operation successful for DN ou=people,dc=example,dc=com