59ff554a3168b829a7449a039be806e134f037eaMark Craig#
59ff554a3168b829a7449a039be806e134f037eaMark Craig# Captured dsconfig command to replace anonymous read access with authenticated access.
59ff554a3168b829a7449a039be806e134f037eaMark Craig# Edit this script to match your deployment.
59ff554a3168b829a7449a039be806e134f037eaMark Craig#
59ff554a3168b829a7449a039be806e134f037eaMark Craig# This command does not affect global-aci properties allowing anonymous access
59ff554a3168b829a7449a039be806e134f037eaMark Craig# to read the root DSE and to read directory schema definitions,
59ff554a3168b829a7449a039be806e134f037eaMark Craig# nor to use selected LDAP controls and extended operations.
59ff554a3168b829a7449a039be806e134f037eaMark Craig#
59ff554a3168b829a7449a039be806e134f037eaMark Craig# This command works against a server built following the changes introduced
59ff554a3168b829a7449a039be806e134f037eaMark Craig# in http://sources.forgerock.org/changelog/opendj?cs=9325.
59ff554a3168b829a7449a039be806e134f037eaMark Craig# If the global-aci settings are different on your OpenDJ server,
59ff554a3168b829a7449a039be806e134f037eaMark Craig# generate this script for that server as described in the documentation.
59ff554a3168b829a7449a039be806e134f037eaMark Craig#
59ff554a3168b829a7449a039be806e134f037eaMark Craigdsconfig set-access-control-handler-prop \
59ff554a3168b829a7449a039be806e134f037eaMark Craig --remove global-aci:\(targetattr!=\"userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\"\)\(version\ 3.0\;\ acl\ \"Anonymous\ read\ access\"\;\ allow\ \(read,search,compare\)\ userdn=\"ldap:///anyone\"\;\) \
59ff554a3168b829a7449a039be806e134f037eaMark Craig --remove global-aci:\(targetattr=\"createTimestamp\|\|creatorsName\|\|modifiersName\|\|modifyTimestamp\|\|entryDN\|\|entryUUID\|\|subschemaSubentry\|\|etag\|\|governingStructureRule\|\|structuralObjectClass\|\|hasSubordinates\|\|numSubordinates\"\)\(version\ 3.0\;\ acl\ \"User-Visible\ Operational\ Attributes\"\;\ allow\ \(read,search,compare\)\ userdn=\"ldap:///anyone\"\;\) \
59ff554a3168b829a7449a039be806e134f037eaMark Craig --add global-aci:\(targetattr!=\"userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\"\)\(version\ 3.0\;\ acl\ \"Authenticated\ read\ access\"\;\ allow\(read,search,compare\)\ userdn=\"ldap:///all\"\;\) \
59ff554a3168b829a7449a039be806e134f037eaMark Craig --add global-aci:\(targetattr=\"createTimestamp\|\|creatorsName\|\|modifiersName\|\|modifyTimestamp\|\|entryDN\|\|entryUUID\|\|subschemaSubentry\|\|etag\|\|governingStructureRule\|\|structuralObjectClass\|\|hasSubordinates\|\|numSubordinates\"\)\(version\ 3.0\;\ acl\ \"User-Visible\ Operational\ Attributes\"\;\ allow\(read,search,compare\)\ userdn=\"ldap:///all\"\;\) \
59ff554a3168b829a7449a039be806e134f037eaMark Craig --hostname opendj.example.com \
59ff554a3168b829a7449a039be806e134f037eaMark Craig --port 4444 \
59ff554a3168b829a7449a039be806e134f037eaMark Craig --trustStorePath /path/to/opendj/config/admin-truststore \
59ff554a3168b829a7449a039be806e134f037eaMark Craig --bindDN cn=Directory\ Manager \
59ff554a3168b829a7449a039be806e134f037eaMark Craig --bindPassword ****** \
59ff554a3168b829a7449a039be806e134f037eaMark Craig --no-prompt
59ff554a3168b829a7449a039be806e134f037eaMark Craig