Red Hat Directory Server 8.0 Administrator's Guide
security attributes, such as aci, nsroledn, and passwordExpirationTime, cannot be
modified by users.
• Users have anonymous access to the directory for search, compare, and read operations.
• The administrator (by default uid=admin,ou=Administrators,
ou=TopologyManagement,o=NetscapeRoot) has all rights except proxy rights.
• All members of the Configuration Administrators group have all rights except proxy
rights.
• All members of the Directory Administrators group have all rights except proxy rights.
• Server Instance Entry (SIE) group.
The NetscapeRoot subtree has its own set of default ACIs:
• All members of the Configuration Administrators group have all rights on the
NetscapeRoot subtree except proxy rights.
• Users have anonymous access to the NetscapeRoot subtree for search and read operations.
• All authenticated users have search, compare, and read rights to configuration attributes that
identify the Administration Server.
• Group expansion.
The following sections explain how to modify these default settings.
3. Creating ACIs Manually
You can create access control instructions manually using LDIF statements and add them to
your directory tree using the ldapmodify utility, similar to the instructions in Section 4, “LDIF
Update Statements”. The following sections explain in detail how to create the LDIF statements.
TIP
LDIF ACI statements can be very complex. However, if you are setting access
control for a large number of directory entries, using LDIF is the preferred
because it is faster than using the Console. To familiarize yourself with LDIF ACI
statements, however, you may want to use the Directory Server Console to set
the ACI and then click the Edit Manually button on the Access Control Editor.
This shows you the correct LDIF syntax. If your operating system allows it, you
can even copy the LDIF from the Access Control Editor and paste it into your
LDIF file.
Chapter 6. Managing Access Control
172