To Allow Normal Users to Manage User Accounts Using dsutil Command (Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition)

Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

To Allow Normal Users to Manage User Accounts Using `dsutil` Command

Add the following ACIs to allow users to manage other user accounts using the dsutil command.

$ldapmodify -h host -p port -D cn=admin,cn=Administrators,cn=config -w - -c 
dn: cn=config
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Allow the Suffix Manager to browse the tree"; \
allow (read,search,compare)userdn = "ldap:///$USERSFXADMIN";)
aci: (targetattr="nsslapd-rootpw")\
(version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \
deny (all)userdn = "ldap:///$USERSFXADMIN";)
aci: (targetattr="userPassword")\
(version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \
deny (all)userdn = "ldap:///$USERSFXADMIN";)
aci: (targetattr="dsKeyedPassword")\
(version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \
deny (all)userdn = "ldap:///$USERSFXADMIN";)

For more information about dsutil command, see dsutil(1M).