Red Hat Directory Server 8.0 Administrator's Guide

(version 3.0; acl "Create Group"; allow (add)

(userdn= "ldap:///uid=*,ou=example-people,dc=example,dc=com")

and dns="*.example.com";)

NOTE

This ACI does not grant write permission, which means that the entry creator

cannot modify the entry.

This example assumes that the ACI is added to the ou=social committee,

dc=example,dc=com entry.

From the Console, set this permission by doing the following:

1. In the Directory tab, right-click the Social Committee entry under the example.com node in

the left navigation tree, and choose Set Access Permissions from the pop-up menu to

display the Access Control Manager.

2. Click New to display the Access Control Editor.

3. In the Users/Groups tab, in the ACI name field, type Create Group. In the list of users

granted access permission, do the following:

a. Select and remove All Users, then click Add.

The Add Users and Groups dialog box opens.

b. Set the Search area to Special Rights, and select All Authenticated Users from the

search results list.

c. Click the Add button to list All Authenticated Users in the list of users who are granted

access permission.

d. Click OK to dismiss the Add Users and Groups dialog box.

4. In the Rights tab, select the checkbox for add. Make sure the other checkboxes are clear.

5. In the Targets tab, click This Entry to display the ou=social committee,

dc=example,dc=com suffix in the Target directory entry field.

6. In the Hosts tab, click Add to display the Add Host Filter dialog box. In the DNS host filter

field, type *.example.com. Click OK to dismiss the dialog box.

7. To create the value-based filter that allows employees to add only group entries to this

subtree, click the Edit Manually button. Add the following to the beginning of the LDIF

statement:

Chapter 6. Managing Access Control

226