Default Access Control Rules (Sun Directory Services 3.1 Administration Guide)

Sun Directory Services 3.1 Administration Guide

Default Access Control Rules

The default access controls defined at installation are as follows:

All users have compare access to the values of the attribute userPassword. To change the value of the userPassword attribute, you must bind with the DN of the entry containing the attribute, that is, the password can only be changed by the owner of the entry.
All users have compare access to the values of the attributes chapPasswd, radiusLoginPasswd, radiusPppPasswd, radiusSlipPasswd. Write access to these attributes is granted to the users who bind with the DN of the entry containing the attributes.
Anyone binding with the DN of an entry has write access to the userPassword, gecos, and loginShell attributes of that entry. Everyone else has read access only.
Everyone has read access to the following attributes: cn, dataSource, homeDirectory, messageStore, messageStoreSizeQuota, mail, mailServer, objectStatus, preferredRfc822Recipient, rfc822Mailbox, uid.
Any user can add their DN to, or delete their DN from, the member attribute of any entry containing the attribute joinable with value TRUE.
The administrator always has complete access to all attributes in all entries. You cannot change the access granted to the administrator because it is not defined in the configuration file. This ensures that there is always at least one user who has access to every attribute in every entry in the directory.

These rules are applied in order, starting with the most specific followed by the more general rules.

Example 1-1 shows how the default access controls are defined in the directory server configuration file /etc/opt/SUNWconn/ldap/current/dsserv.acl.conf.

Example 1-1 Default Access Controls

access to attrs=userPassword	by self write
	by * compare

# Radius ACLs
access to attrs=chapPassword, radiusLoginPasswd, radiusPppPasswD,
radiusSlipPasswd
	by self write
	by * compare

access to attrs=sharedKey
	by self write
	by * compare

# dsyppasswdd ACLs
access to attrs=userPassword
	by self write
	by * compare

access to attrs=gecos,loginShell
	by self write

# SIMS ACLs
access to attrs=cn, dataSource, homeDirectory, mail, mailHost,
mailQuota, objectStatus, preferredRfc822Recipient, rfc822Mailbox,
uid
	by self read
	by * read

# Default ACLs
access to filter="joinable=TRUE" attrs=member,entry
	by dnattr=member selfwrite

access to * by self read

For information on configuring access control rules for Sun Directory Services, refer to "Configuring Access Control".