Red Hat Directory Server 8.0 Administrator's Guide

It is also example.com's policy to let their subscribers update their own personal information in

the example.com tree, provided that they establish an SSL connection to the directory. This is

illustrated in Section 9.2.2, “ACI "Write Subscribers"”.

9.2.1. ACI "Write example.com"

NOTE

By setting this permission, you are also granting users the right to delete attribute

values.

Granting example.com employees the right to update their password, home telephone number,

and home address has the following statement in LDIF:

aci: (targetattr="userPassword || homePhone ||

homePostalAddress") (version 3.0; acl "Write example.com"; allow

(write) userdn= "ldap:///self" and dns="*.example.com";)

This example assumes that the ACI is added to the ou=example-people,dc=example,dc=com

entry.

From the Console, set this permission by doing the following:

1. In the Directory tab, right-click the example-people entry under the example.com node in

the left navigation tree, and choose Set Access Permissions from the pop-up menu to

display the Access Control Manager.

2. Click New to display the Access Control Editor.

3. In the Users/Groups tab, in the ACI name field, type Write example.com. In the list of

users granted access permission, do the following:

a. Select and remove All Users, then click Add.

The Add Users and Groups dialog box opens.

b. Set the Search area to Special Rights, and select Self from the search results list.

c. Click the Add button to list Self in the list of users who are granted access permission.

d. Click OK to dismiss the Add Users and Groups dialog box.

4. In the Rights tab, select the checkbox for write right. Make sure the other checkboxes are

clear.

5. In the Targets tab, click This Entry to display the ou=example-people,dc=example,dc=com

Chapter 6. Managing Access Control

220