The default access controls defined at installation are as follows:
All users have compare access to the values of the attribute userPassword. To change the value of the userPassword attribute, you must bind with the DN of the entry containing the attribute, that is, the password can only be changed by the owner of the entry.
All users have compare access to the values of the attributes chapPasswd, radiusLoginPasswd, radiusPppPasswd, radiusSlipPasswd. Write access to these attributes is granted to the users who bind with the DN of the entry containing the attributes.
Anyone binding with the DN of an entry has write access to the userPassword, gecos, and loginShell attributes of that entry. Everyone else has read access only.
Everyone has read access to the following attributes: cn, dataSource, homeDirectory, messageStore, messageStoreSizeQuota, mail, mailServer, objectStatus, preferredRfc822Recipient, rfc822Mailbox, uid.
Any user can add their DN to, or delete their DN from, the member attribute of any entry containing the attribute joinable with value TRUE.
The administrator always has complete access to all attributes in all entries. You cannot change the access granted to the administrator because it is not defined in the configuration file. This ensures that there is always at least one user who has access to every attribute in every entry in the directory.
These rules are applied in order, starting with the most specific followed by the more general rules.
Example 1-1 shows how the default access controls are defined in the directory server configuration file /etc/opt/SUNWconn/ldap/current/dsserv.acl.conf.
access to attrs=userPassword by self write by * compare # Radius ACLs access to attrs=chapPassword, radiusLoginPasswd, radiusPppPasswD, radiusSlipPasswd by self write by * compare access to attrs=sharedKey by self write by * compare # dsyppasswdd ACLs access to attrs=userPassword by self write by * compare access to attrs=gecos,loginShell by self write # SIMS ACLs access to attrs=cn, dataSource, homeDirectory, mail, mailHost, mailQuota, objectStatus, preferredRfc822Recipient, rfc822Mailbox, uid by self read by * read # Default ACLs access to filter="joinable=TRUE" attrs=member,entry by dnattr=member selfwrite access to * by self read |
For information on configuring access control rules for Sun Directory Services, refer to "Configuring Access Control".