Starting and Stopping Your Server Instance
Configuring the Server Instance
Configuring the Proxy Components
Configuring Security Between Clients and Servers
Configuring Security Between the Proxy and the Data Source
Configuring Servers With the Control Panel
Managing Global ACIs With dsconfig
Granting Write Access to Personal Entries
Granting a Group Full Access to a Suffix
Granting Rights to Add and Delete Group Entries
Allowing Users to Add or Remove Themselves From a Group
Granting Conditional Access to a Group
Defining Permissions for DNs That Contain a Comma
The Get Effective Rights Control
Using the Get Effective Rights Control
Understanding Effective Rights Results
Viewing effective rights is itself a directory operation that should be protected and appropriately restricted.
The default ACI does not allow read access to the aclRights and aclRightsInfo operational attributes used to return effective rights. Create a new ACI for these attributes to enable access by directory users to this information.
For example, the following ACI allows members of the Directory Administrators group to get effective rights:
aci: (targetattr = "aclRights||aclRightsInfo")(version 3.0; acl "getEffectiveRights"; allow(all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
In addition, access is needed to use the Get Effective Rights Control.
To enable access by directory users to the Get Effective Rights Control, create a new ACI target by using the OID (1.3.6.1.4.1.42.2.27.9.5.2) for this control. For additional ACI syntax information, see Defining Targets in Sun OpenDS Standard Edition 2.2 Architectural Reference.
For example, the following ACI allows members of the Directory Administrators group to use the Get Effective Rights control:
aci: (targetcontrol = "1.3.6.1.4.1.42.2.27.9.5.2")(version 3.0; acl "getEffectiveRights control access"; allow(all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)