In LDIF, to grant Example.com employees the right to create a group entry under the ou=Social Committee branch, you would write the following statement:
aci: (targetattr="*") (targattrfilters="add=objectClass: (|(objectClass=groupOfNames)(objectClass=top))") (version 3.0; acl "Create Group"; allow (read,search,add) userdn= "ldap:///uid=*,ou=People,dc=example,dc=com") and dns="*.Example.com";) |
This example assumes that the ACI is added to the ou=Social Committee,dc=example,dc=com entry.
This ACI does not grant write permission, which means that the entry creator cannot modify the entry.
Because the server adds the value top behind the scenes, you need to specify objectClass=top in the targattrfilters keyword.
This ACI restricts the client machine to be in the example.comdomain.