Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
231232233234235236237238239240
"Anonymous World"”.
9.1.1. ACI "Anonymous example.com"
In LDIF, to grant read, search, and compare permissions to the entire example.com tree to
example.com employees, write the following statement:
aci: (targetattr !="userPassword")(version 3.0; acl "Anonymous
Example"; allow (read, search, compare) userdn= "ldap:///anyone"
and dns="*.example.com";)
This example assumes that the aci attribute is added to the dc=example,dc=com entry. The
userPassword attribute is excluded from the scope of the ACI.
From the Console, set this permission by doing the following:
1. In the Directory tab, right-click the example.com node in the left navigation tree, and choose
Set Access Permissions from the pop-up menu to display the Access Control Manager.
2. Click New to display the Access Control Editor.
3. In the Users/Groups tab in the ACI name field, type Anonymous example.com. Check that
All Users opens in the list of users granted access permission.
4. In the Rights tab, select the checkboxes for read, compare, and search rights. Make sure
the other checkboxes are clear.
5. In the Targets tab, click This Entry to display the dc=example,dc=com suffix in the Target
directory entry field. In the attribute table, locate the userPassword attribute, and clear the
corresponding checkbox.
All other checkboxes should be selected. This task is made easier if you click the Name
header to organize the list of attributes alphabetically.
6. In the Hosts tab, click Add, and in the DNS host filter field, type *.example.com. Click OK
to dismiss the dialog box.
7. Click OK in the Access Control Editor window.
The new ACI is added to the ones listed in the Access Control Manager window.
9.1.2. ACI "Anonymous World"
In LDIF, to grant read and search access of the individual subscribers subtree to the world,
while denying access to information on unlisted subscribers, write the following statement:
aci: (targetfilter= "(!(unlistedSubscriber=yes))")
(targetattr="homePostalAddress || homePhone || mail") (version
3.0; acl "Anonymous World"; allow (read, search)
userdn="ldap:///anyone";)
Chapter 6. Managing Access Control
218