Granting Write Access to Personal Entries

The default global ACIs allow write access to a limited subset of the attributes of a user's own entry. These attributes include the following:

• audio

• authPassword

• description

• displayName

• givenName

• homePhone

• homePostalAddress

• initials

• jpegPhoto

• labeledURI

• mobile

• pager

• postalAddress

• postalCode

• preferredLanguage

• telephoneNumber

• userPassword

Use this procedures in this section to grant users write access to additional attributes of their own entries.

Granting Write Access Based on DNS

The following example ACI enables users internal to example.com to change their own business category and room number.

Remember, by allowing write access, you also grant users the right to delete attribute values.

aci: (targetattr="businessCategory || roomNumber")
(version 3.0; acl "Write example.com"; allow (write)
userdn="ldap:///self" and dns="*.example.com";)

This example assumes that the ACI is added to the ou=People,dc=example,dc=com entry.

Granting Write Access Based on Authentication Method

The following example enables any user to update all of his own personal information in the example.com tree provided that he establish an SSL connection to the directory.

By setting this permission, you are also granting users the right to delete attribute values.

aci: (targetattr="*")
(version 3.0; acl "Write SSL"; allow (write)
userdn= "ldap://self" and authmethod="ssl";)

This example assumes that the aci is added to the ou=subscribers,dc=example,dc=com entry.