Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
241242243244245246247248249250
7. To create the value-based filter for roles, switch to manual editing by clicking the Edit
Manually button. Add the following to the beginning of the LDIF statement:
(targattrfilters="add=nsroledn:(nsroledn != "cn=superAdmin,
dc=example,dc=com")")
The LDIF statement should read as follows:
(targattrfilters="add=nsroledn:(nsroledn != "cn=superAdmin,
dc=example,dc=com")") (targetattr = "*") (target = "ldap:///
ou=example-people,dc=example,dc=com") (version 3.0; acl "Roles";
allow (write) (userdn = "ldap:///self") and (dns="*.example.com");)
8. Click OK.
The new ACI is added to the ones listed in the Access Control Manager window.
9.4. Granting a Group Full Access to a Suffix
Most directories have a group that is used to identify certain corporate functions. These groups
can be given full access to all or part of the directory. By applying the access rights to the group,
you can avoid setting the access rights for each member individually. Instead, you grant users
these access rights simply by adding them to the group.
For example, when the Directory Server is set up with a typical process, an administrators group
with full access to the directory is created by default.
At example.com, the Human Resources group is allowed full access to the ou=example-people
branch of the directory so that they can update the employee database. This is illustrated in
Section 9.4.1, “ACI "HR"”.
9.4.1. ACI "HR"
In LDIF, to grant the HR group all rights on the employee branch of the directory, use the
following statement:
aci: (version 3.0; acl "HR"; allow (all) userdn=
"ldap:///cn=HRgroup,ou=example-people,dc=example,dc=com";)
This example assumes that the ACI is added to the ou=example-people,dc=example,dc=com
entry.
From the Console, set this permission by doing the following:
1. In the Directory tab, right-click the example-people entry under the example.com node in
the left navigation tree, and choose Set Access Permissions from the pop-up menu to
Chapter 6. Managing Access Control
224