Chapter 6. Managing Access Control
198
NOTE
Because search filters do not directly name the object for which you are managing access,
it is easy to allow or deny access to the wrong objects unintentionally, especially as your
directory becomes more complex. Additionally, filters can make it difficult to troubleshoot
access control problems within your directory.
For example, the following ACI grants user
bjensen
write access to the department number, home
phone number, home postal address, and manager attributes for all members of the accounting
organization.
aci: (targetattr="departmentNumber || homePhone || homePostalAddress || manager")
(targetfilter="(uid=bjensen)") (version 3.0; acl "Filtered ACL"; allow (write)
userdn ="ldap:///cn=*,ou=accounting, dc=example,dc=com";)
Before you can set these permissions, you must create the accounting branch point
ou=accounting,dc=example,dc=com
). You can create organizational unit branch points in the
Directory
tab on the Directory Server Console.
6.9.9. Allowing Users to Add or Remove Themselves from a Group
Many directories set ACIs that allow users to add or remove themselves from groups. This is useful,
for example, for allowing users to add and remove themselves from mailing lists.
At
example.com
, employees can add themselves to any group entry under the
ou=social
committee
subtree. This is illustrated in
Section 6.9.9.1, “ACI "Group Members"”
.
6.9.9.1. ACI "Group Members"
In LDIF, to grant
example.com
employees the right to add or delete themselves from a group, write
the following statement:
aci: (targettattr="member")(version 3.0; acl "Group Members"; allow (selfwrite)
(userdn= "ldap:///uid=*,ou=example-people,dc=example,dc=com") ;)
This example assumes that the ACI is added to the
ou=social committee,
dc=example,dc=com
entry.
From the Console, set this permission by doing the following:
1. In the
Directory
tab, right-click the
example-people
entry under the
example.com
node in the
left navigation tree, and choose
Set Access Permissions
from the pop-up menu to display the
Access Control Manager
.
2. Click
New
to display the
Access Control Editor
.
3. In the
Users/Groups
tab, in the
ACI name
field, type
Group Members
. In the list of users
granted access permission, do the following:
a. Select and remove
All Users
, then click
Add
.
The
Add Users and Groups
dialog box opens.
Summary of Contents for DIRECTORY SERVER 8.0
Page 18: ...xviii ...
Page 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Page 30: ...12 ...
Page 112: ...94 ...
Page 128: ...110 ...
Page 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Page 224: ...206 ...
Page 324: ...306 ...
Page 334: ...316 ...
Page 358: ...340 ...
Page 410: ...392 ...
Page 420: ...402 ...
Page 444: ...426 ...
Page 454: ...436 ...
Page 464: ...446 ...
Page 484: ...466 ...
Page 512: ...494 ...
Page 522: ...504 ...