Exit Print View

Sun OpenDS Standard Edition 2.2 Administration Guide

Get PDF Book Print View
 
Previous Next

Document Information

Before You Start

Starting and Stopping Your Server Instance

Configuring the Server Instance

Configuring the Proxy Components

Configuring Security Between Clients and Servers

Configuring Security Between the Proxy and the Data Source

Configuring Servers With the Control Panel

Managing Directory Data

Replicating Directory Data

Controlling Access To Data

Managing Global ACIs With dsconfig

Default Global ACIs

To Display the Global ACIs

To Delete a Global ACI

To Add a Global ACI

Managing ACIs With ldapmodify

To View ACI Attribute Values

To Add an ACI

To Remove an ACI

Access Control Usage Examples

Disabling Anonymous Access

Granting Write Access to Personal Entries

Granting a Group Full Access to a Suffix

Granting Rights to Add and Delete Group Entries

Allowing Users to Add or Remove Themselves From a Group

Granting Conditional Access to a Group

Denying Access

Defining Permissions for DNs That Contain a Comma

Proxy Authorization ACIs

Viewing Effective Rights

The Get Effective Rights Control

Using the Get Effective Rights Control

Understanding Effective Rights Results

Restricting Access to the Get Effective Rights Control

Managing Users and Groups

Monitoring Sun OpenDS Standard Edition

Improving Performance

Advanced Administration

Granting Rights to Add and Delete Group Entries

Some organizations want to allow employees to create entries in the tree if it can increase their efficiency, or if it can contribute to the corporate dynamics. The following examples assume that example.com has a social committee that is organized into various clubs (tennis, swimming, skiing, and so on).

Creating a "Create Group" ACI

This sample ACI allows any example.com employee to create a group entry representing a new club, under the ou=social committee branch.

aci: (target="ldap:///ou=social committee,dc=example,dc=com")
(targetattr="*")(targattrfilters="add=objectClass:
(|(objectClass=groupOfNames)(objectClass=top))")
(version 3.0; acl "Create Group"; allow (read,search,add)
userdn= "ldap:///uid=*,ou=People,dc=example,dc=com")
and dns="*.example.com";)

This example assumes that the ACI is added to the ou=social committee, dc=example,dc=com entry.

Note - This ACI does not grant write permission, which means that the entry creator cannot modify the entry. Because the server adds the value top behind the scenes, you must specify objectClass=top in the targattrfilters

Creating a "Delete Group" ACI

This sample ACI ensures that only the group owner can modify or delete a group entry under the ou=Social Committee branch.

aci: (target="ou=social committee,dc=example,dc=com")
(targetattr = "*")
(targattrfilters="del=objectClass:(objectClass=groupOfNames)")
(version 3.0; acl "Delete Group"; allow (write,delete)
userattr="owner#GROUPDN";)

This example assumes that the ACI is added to the ou=social committee,dc=example,dc=com entry.

Legal Copyright 1994-2009 Sun Microsystems, Inc.
Previous Next