Red Hat Directory Server 8.0 Administrator's Guide
(targattrfilters="add=objectClass:(objectClass=groupOfNames)")
The LDIF statement should read as follows:
(targattrfilters="add=objectClass:(objectClass=groupOfNames)")
(targetattr = "*") (target="ldap:///ou=social
committee,dc=example,dc=com)
(version 3.0; acl "Create Group"; allow (read,search,add)
(userdn= "ldap:///all") and (dns="*.example.com"); )
8. Click OK.
The new ACI is added to the ones listed in the Access Control Manager window.
9.5.2. ACI "Delete Group"
In LDIF, to grant example.com employees the right to modify or delete a group entry which they
own under the ou=Social Committee branch, write the following statement:
aci: (target="ou=social committee,dc=example,dc=com)
(targattrfilters="del=objectClass:(objectClass=groupOfNames)")
(version 3.0; acl "Delete Group"; allow (delete) userattr=
"owner#GROUPDN";)
This example assumes that the aci is added to the ou=social committee,
dc=example,dc=com entry.
NOTE
Using the Console is not an effective way of creating this ACI because it requires
manually editing the ACI to create the target filter and to check group ownership.
9.6. Granting Conditional Access to a Group or Role
In many cases, when you grant a group or role privileged access to the directory, you want to
ensure that those privileges are protected from intruders trying to impersonate your privileged
users. Therefore, in many cases, access control rules that grant critical access to a group or
role are often associated with a number of conditions.
example.com has created a directory administrator role for each of its hosted companies,
HostedCompany1 and HostedCompany2. It wants these companies to be able to manage their
own data and implement their own access control rules while securing it against intruders. For
this reason, HostedCompany1 and HostedCompany2 have full rights on their respective branches
Entries
227