Red Hat Directory Server 8.0 Administrator's Guide
At example.com, employees can add themselves to any group entry under the ou=social
committee subtree. This is illustrated in Section 9.9.1, “ACI "Group Members"”.
9.9.1. ACI "Group Members"
In LDIF, to grant example.com employees the right to add or delete themselves from a group,
write the following statement:
aci: (targettattr="member")(version 3.0; acl "Group Members"; allow
(selfwrite)
(userdn= "ldap:///uid=*,ou=example-people,dc=example,dc=com") ;)
This example assumes that the ACI is added to the ou=social committee,
dc=example,dc=com entry.
From the Console, set this permission by doing the following:
1. In the Directory tab, right-click the example-people entry under the example.com node in
the left navigation tree, and choose Set Access Permissions from the pop-up menu to
display the Access Control Manager.
2. Click New to display the Access Control Editor.
3. In the Users/Groups tab, in the ACI name field, type Group Members. In the list of users
granted access permission, do the following:
a. Select and remove All Users, then click Add.
The Add Users and Groups dialog box opens.
b. Set the Search area in the Add Users and Groups dialog box to Special Rights, and
select All Authenticated Users from the search results list.
c. Click the Add button to list All Authenticated Users in the list of users who are granted
access permission.
d. Click OK to dismiss the Add Users and Groups dialog box.
4. In the Rights tab, select the checkbox for selfwrite. Make sure the other checkboxes are
clear.
5. In the Targets tab, type dc=example,dc=com suffix in the Target directory entry field. In the
attribute table, select the checkbox for the member attribute.
All other checkboxes should be clear; if it is easier, click the Check None button to clear the
checkboxes for all attributes in the table, then click the Name header to organize them
alphabetically, and select the appropriate ones.
6. Click OK.
Allowing Users to Add or Remove
233