chap-privileges-acis.xml revision 6246f851911b09f425ce43a128c1fc84f71840c1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER END
1fd4aba3a4b03e77a359b628db0a4b0f7a8d6df7mark ! Copyright 2011-2014 ForgeRock AS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Configuring Privileges & Access Control</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ supports two mechanisms to protect access to the directory,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Access control instructions apply to directory data, providing
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark fine-grained control over what a user or group member is authorized to do in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark terms of LDAP operations. Most access control instructions specify scopes
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark (targets) to which they apply such that an administrative user who has all
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark access to <literal>dc=example,dc=com</literal> need not have any access to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Privileges control the administrative tasks that users can perform,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark such as bypassing the access control mechanism, performing backup and restore
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operations, making changes to the configuration, and so forth. Privileges are
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark implemented independently from access control. By default, privileges restrict
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark administrative access to directory root users, though any user can be assigned
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a privilege. Privileges apply to a directory server, and do not have a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark scope.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Some operations require both privileges and also access control
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark instructions. For example, in order to reset user's passwords, an administrator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark needs both the <literal>password-reset</literal> privilege and also access
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark control to write <literal>userPassword</literal> values on the user entries.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark By combining an access control instruction with a privilege, you can
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark effectively restrict the scope of that privilege to a particular branch of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the Directory Information Tree.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter covers both access control instructions and privileges,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark demonstrating how to configure both.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Access control</primary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ directory server access control instructions (ACIs) exist as
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operational <literal>aci</literal> attribute values on directory entries, and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark as global ACIs stored in the configuration. ACIs apply to a scope defined in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the instruction, and set permissions that depend on what operation is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark requested, who requested the operation, and how the client connected to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For example, the ACIs on the following entry allow anonymous read
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark access to all attributes except passwords, and allow read-write access
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for directory administrators under <literal>dc=example,dc=com</literal>.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkdn: dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: domain
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdc: example
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaci: (target ="ldap:///dc=example,dc=com")(targetattr !=
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "userPassword")(version 3.0;acl "Anonymous read-search access";
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark allow (read, search, compare)(userdn = "ldap:///anyone");)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaci: (target="ldap:///dc=example,dc=com") (targetattr =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ directory server's default behavior is that no access is allowed
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark unless it is specifically granted by an access control instruction. In
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark addition privileges assigned to certain users such as <literal>cn=Directory
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Manager</literal> allow them to bypass access control checks.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ directory server provides several global ACIs out of the box to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark facilitate evaluation while maintaining a reasonable security policy. By
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default users are allow to read the root DSE, to read the schema, to use
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark certain controls and extended operations, to modify their own entries, to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark bind, and so forth. Global ACIs are defined on the access control handler,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and apply to the entire directory server. You must adjust the default global
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ACIs to match the security policies for your organization, for example to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark restrict anonymous access.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>ACI attribute values use a specific language described in this section.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Although ACI attribute values can become difficult to read in LDIF, the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark basic syntax is simple.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >name</replaceable>";<replaceable>permissions</replaceable> <replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following list briefly explains the variables in the syntax above.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <replaceable>targets</replaceable> specifies entries, attributes,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark controls, and extended operations to which the ACI applies.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To include multiple <replaceable>targets</replaceable>, enclose
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark each individual target in parentheses, (). When you specify multiple
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark targets, all targets must match for the ACI to apply
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Supplies a human-readable description of what the ACI does.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Defines which actions to allow, and which to deny. Paired with
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Identify clients to which the ACI applies depending on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark who connected, and when, where, and how they connected. Paired with
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Separate multiple pairs of <replaceable>permissions</replaceable>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <replaceable>subjects</replaceable> definitions with semicolons, ;. When you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark specify multiple permissions-subjects pairs, at least one must match
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The seven types of ACI targets identify the objects to which the ACI
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark applies.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(target = "ldap:///<replaceable>DN</replaceable>")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(target != "ldap:///<replaceable>DN</replaceable>")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Sets the scope to the entry with distinguished name
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <replaceable>DN</replaceable>, and to child entries.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can use asterisks, *, to replace attribute types, attribute
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark values, and entire DN components. In other words, the following
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark specification targets both
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> and also
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>cn=Frank Zappa,ou=Musicians,dc=example,dc=com</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <programlisting language="aci">(target = "ldap:///*=*,*,dc=example,dc=com")</programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <replaceable>DN</replaceable> must be in the subtree of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entry on which the ACI is defined.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you do not specify <literal>target</literal>, then the entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark holding this ACI will be affected. If <literal>targetscope</literal> is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark also omitted, then this entry and all subordinates will be affected.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(targetattr = "<replaceable>attr-list</replaceable>")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(targetattr != "<replaceable>attr-list</replaceable>")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Replace <replaceable>attr-list</replaceable> with a list of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute type names, such as <literal>userPassword</literal>, separating
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark multiple attribute type names with ||.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This specification affects the entry where the ACI is located, or
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the entries specified by other targets in the ACI.</para>
3b13911fae84a5f802ad26be6be98a3c3ce0ff48cjr <para>You can use an asterisk, *, to specify all user attributes, although
3b13911fae84a5f802ad26be6be98a3c3ce0ff48cjr you will see better performance when explicitly including or excluding
3b13911fae84a5f802ad26be6be98a3c3ce0ff48cjr attribute types needed. You can use a plus, +, to specify all operational
3b13911fae84a5f802ad26be6be98a3c3ce0ff48cjr attributes.</para>
3b13911fae84a5f802ad26be6be98a3c3ce0ff48cjr <para>Note that a negated <replaceable>attr-list</replaceable> of
3b13911fae84a5f802ad26be6be98a3c3ce0ff48cjr operational attributes will only match other operational attributes and
3b13911fae84a5f802ad26be6be98a3c3ce0ff48cjr never any user attributes, and vice-versa.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you do not include this target specification, then by default
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark no attributes are affected by the ACI.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(targetfilter = "<replaceable>ldap-filter</replaceable>")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(targetfilter != "<replaceable>ldap-filter</replaceable>")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Sets the scope to match the <replaceable>ldap-filter</replaceable>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark dynamically, as in an LDAP search. The
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <replaceable>ldap-filter</replaceable> can be any valid LDAP filter.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(targattrfilters = "<replaceable>expression</replaceable>")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(targattrfilters != "<replaceable>expression</replaceable>")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Use this target specification when managing changes made to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark particular attributes.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Here <replaceable>expression</replaceable> takes one of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark following forms. Separate expressions with semicolons, ;.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >op</replaceable>=<replaceable>attr1</replaceable>:<replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >attr2</replaceable>:<replaceable>filter2</replaceable> …][;<replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >op</replaceable>=<replaceable>attr3</replaceable>:<replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >attr4</replaceable>:<replaceable>filter4</replaceable> …] …]</literallayout>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>add</literal> for operations creating attributes, or
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Replace <replaceable>attr</replaceable> with an attribute type.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Replace <replaceable>filter</replaceable> with an LDAP filter that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark corresponds to the <replaceable>attr</replaceable> attribute type.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(targetscope = "base|onelevel|subtree|subordinate")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Here <literal>base</literal> refers to the entry where the ACI is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark defined, <literal>onelevel</literal> to immediate children,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>subtree</literal> to the base entry and all children, and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>subordinate</literal> to all children only.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you do not specify <literal>targetscope</literal>, then the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(targetcontrol = "<replaceable>OID</replaceable>")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(targetcontrol != "<replaceable>OID</replaceable>")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Replace <replaceable>OID</replaceable> with the object identifier
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for the LDAP control to target. Separate multiple OIDs with ||.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This target cannot be restricted to a specific subtree by combining
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark it with another target.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(extop = "<replaceable>OID</replaceable>")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>(extop != "<replaceable>OID</replaceable>")</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Replace <replaceable>OID</replaceable> with the object identifier
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for the extended operation to target. Separate multiple OIDs with ||.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This target cannot be restricted to a specific subtree by combining
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark it with another target.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>ACI permission definitions take one of the following forms.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >action</replaceable>[, <replaceable>action</replaceable> …])</literallayout>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >action</replaceable>[, <replaceable>action</replaceable> …])</literallayout>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Although <literal>deny</literal> is supported, avoid restricting
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark permissions by using <literal>deny</literal>. Instead, explicitly
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>allow</literal> access only where needed. What looks harmless and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark simple in your lab examples can grow difficult to maintain in a real-world
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark deployment with nested ACIs.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Replace <replaceable>action</replaceable> with one of the following.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Entry creation, as for an LDAP add operation</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>All permissions, except <literal>export</literal>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>import</literal>, <literal>proxy</literal></para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Attribute value comparison, as for an LDAP compare operation</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Entry deletion, as for an LDAP delete operation</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Entry export during a modify DN operation.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Despite the name, this action is unrelated to LDIF export
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operations.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Entry import during a modify DN operation.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Despite the name, this action is unrelated to LDIF import
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operations.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Access the ACI target using the rights of another user</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Search the ACI targets. Needs to be combine with
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>read</literal> in order to read the search results.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>ACI subjects match characteristics of the client connection to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server. Use subjects to restrict whether the ACI applies depending on who
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark connected, and when, where, and how they connected.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>authmethod = "none|simple|ssl|sasl <replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>authmethod != "none|simple|ssl|sasl <replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Here you use <literal>none</literal> to mean do not check,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ssl</literal> for certificate-based authentication over LDAPS,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>sasl <replaceable>mech</replaceable></literal> for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark SASL where <replaceable>mech</replaceable> is DIGEST-MD5, EXTERNAL, or
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark GSSAPI.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>dayofweek = "<replaceable>day</replaceable>[, <replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>dayofweek != "<replaceable>day</replaceable>[, <replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Replace <replaceable>day</replaceable> with one of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>sun</literal>, <literal>mon</literal>, <literal>tue</literal>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>wed</literal>, <literal>thu</literal>, <literal>fri</literal>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>dns = "<replaceable>hostname</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>dns != "<replaceable>hostname</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can use asterisks, *, to replace name components, such as
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >DN</replaceable>[|| ldap:///<replaceable>DN</replaceable> …]"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >DN</replaceable>[|| ldap:///<replaceable>DN</replaceable> …]"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Replace <replaceable>DN</replaceable> with the distinguished name
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark of a group to permit or restrict access for members.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ip = "<replaceable>addresses</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ip != "<replaceable>addresses</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Here <replaceable>addresses</replaceable> can be specified for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark IPv4 or IPv6. IPv6 addresses are specified in brackets as
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ldap://[<replaceable>address</replaceable>]/<replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark where /<replaceable>subnet-prefix</replaceable> is optional.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark You can specify individual IPv4 addresses, addresses with asterisks (*) to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark replace subnets and host numbers, CIDR notation, and forms such as
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>192.168.0.*+255.255.255.0</literal> to specify subnet masks.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ssf = "<replaceable>strength</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ssf != "<replaceable>strength</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ssf > "<replaceable>strength</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ssf >= "<replaceable>strength</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ssf < "<replaceable>strength</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>ssf <= "<replaceable>strength</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Here the security strength factor pertains to the cipher key
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark strength for connections using DIGEST-MD5, GSSAPI, SSL, or TLS. For
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark example, to require that the connection must have at least 128 bits
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark of encryption, specify <literal>ssf >= 128</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>timeofday = "<replaceable>hhmm</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>timeofday != "<replaceable>hhmm</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>timeofday > "<replaceable>hhmm</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>timeofday >= "<replaceable>hhmm</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>timeofday < "<replaceable>hhmm</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>timeofday <= "<replaceable>hhmm</replaceable>"</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Here <replaceable>hhmm</replaceable> is expressed as on a 24-hour
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark clock. For example, 1:15 PM is written <literal>1315</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>userattr = "<replaceable>attr</replaceable>#<replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>userattr != "<replaceable>attr</replaceable>#<replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >child-level</replaceable>]. ]<replaceable>attr</replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >child-level</replaceable>]. ]<replaceable>attr</replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <literal>userattr</literal> subject specifies an attribute
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that must match on both the bind entry and the target of the ACI.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To match when the attribute on the bind DN entry corresponds
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directly to the attribute on the target entry, replace
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <replaceable>attr</replaceable> with the attribute type, and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <replaceable>value</replaceable> with the attribute value.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To match when the target entry is identified by an LDAP URL, and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the bind DN is in the subtree of the DN of the LDAP URL, use
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To match when the bind DN corresponds to a member of the group
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark identified by the <replaceable>attr</replaceable> value on the target
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entry, use <replaceable>attr</replaceable>#GROUPDN.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To match when the bind DN corresponds to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <replaceable>attr</replaceable> value on the target entry, use
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The optional inheritance specification,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>parent[<replaceable>child-level</replaceable>].</literal>, lets
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you specify how many levels below the target entry inherit the ACI.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Here <replaceable>child-level</replaceable> is a number from 0 to 9, with
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark 0 indicating the target entry only. Separate multiple
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <replaceable>child-level</replaceable> digits with commas (,).</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>userdn = "<replaceable>ldap-url++</replaceable>[|| <replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>userdn != "<replaceable>ldap-url++</replaceable>[|| <replaceable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To match the bind DN, replace <replaceable>ldap-url++</replaceable>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark with either a valid LDAP URL such as
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ldap:///uid=bjensen,ou=People,dc=example,dc=com</literal>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ldap:///dc=example,dc=com??sub?(uid=bjensen)</literal>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark or a special LDAP URL-like keyword from the following list.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Match when the bind DN is a parent of the ACI target.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Match when the bind DN entry corresponds to ACI target.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Understanding how OpenDJ evaluates the aci values is critical when
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark implementing an access control policy. The rules the server follows are
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark simple.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <orderedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To determine if an operation is allowed or denied, the OpenDJ server
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark looks in the directory for the target of the operation. It collects any aci
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark values from that entry, and then walks up the directory tree to the suffix,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark collecting all aci values en route. Global aci values are then collected.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>It then separates the aci values into two lists; one list contains
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark all the aci values that matches the target and denies the required access,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and the other list contains all the aci values that matches the target and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark allows the required access.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If the deny list contains any aci values after this procedure, access
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark will be immediately denied.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If the deny list is empty, then the allow list is processed. If the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark allow list contains any aci values, access will be allowed.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If both lists are empty, access will be denied.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </orderedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Some operations require multiple permissions and involve multiple
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark targets. Evaluation will therefore take place multiple times. For example a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark search operation requires the <literal>search</literal> permission for each
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute in the search filter. If all those are allowed, the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>read</literal> permission is used to decide what attributes and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark values can be returned.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The minimal access control information required for specific LDAP
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operations is described here.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The ACI must allow the <literal>add</literal> permission to entries
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in the target. This implicitly allows the attributes and values to be set.
3b13911fae84a5f802ad26be6be98a3c3ce0ff48cjr Use <literal>targattrfilters</literal> to explicitly deny access to any
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark values if required.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For example, the ACI required to allow
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to add an entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is:</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaci: (version 3.0;acl "Add entry"; allow (add)(userdn =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Because this is used to establish the user's identity and derived
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark authorizations, ACI is irrelevant for this operation and is not checked.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark To prevent authentication,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark disable the account instead. For more information see <link
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Managing
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The ACI must allow the <literal>compare</literal> permission to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute in the target entry.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For example, the ACI required to allow
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to compare
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark values against the <literal>sn</literal> attribute is:</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaci: (targetattr = "sn")(version 3.0;acl "Compare surname";
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark allow (compare)(userdn =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The ACI must allow the <literal>delete</literal> permission to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark target entry. This implicitly allows the attributes and values in the
3b13911fae84a5f802ad26be6be98a3c3ce0ff48cjr target to be deleted. Use <literal>targattrfilters</literal> to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark explicitly deny access to the values if required.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For example, the ACI required to allow
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to delete an
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entry is:</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaci: (version 3.0;acl "Delete entry"; allow (delete)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark (userdn = "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The ACI must allow the <literal>write</literal> permission to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attributes in the target entries. This implicitly allows all
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark values in the target attribute to be modified. Use
3b13911fae84a5f802ad26be6be98a3c3ce0ff48cjr <literal>targattrfilters</literal> to explicitly deny access to specific
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark values if required.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For example, the ACI required to allow
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to modify the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>description</literal> attribute in an entry is:</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaci: (targetattr = "description")(version 3.0;
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark acl "Modify description"; allow (write)(userdn =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If the entry is being moved to a <literal>newSuperior</literal>, the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>export</literal> permission must be allowed on the target, and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the <literal>import</literal> permission must be allowed on the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The ACI must allow <literal>write</literal> permission to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attributes in the old RDN and the new RDN. All values of the old RDN and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark new RDN can be written implicitly; use
3b13911fae84a5f802ad26be6be98a3c3ce0ff48cjr <literal>targattrfilters</literal> to explicitly deny access to values
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark used if required.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For example, the ACI required to allow
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to rename
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entries named with the <literal>uid</literal> attribute to new
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark locations:</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaci: (targetattr = "uid")(version 3.0;acl "Rename uid= entries";
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark allow (write, import, export)(userdn =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>ACI is required to process the search filter, and to determine what
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attributes and values may be returned in the results. The
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>search</literal> permission is used to allow particular
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attributes in the search filter. The <literal>read</literal> permission is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark used to allow particular attributes to be returned. If
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>read</literal> permission is allowed to any attribute, the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server will automatically allow the <literal>objectClass</literal>
3b13911fae84a5f802ad26be6be98a3c3ce0ff48cjr attribute to also be read.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For example, the ACI required to allow
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to search for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid</literal> attributes, and also to read that attribute in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark matching entries is:</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaci: (targetattr = "uid")(version 3.0;acl "Search and read uid";
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark allow (search, read)(userdn =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Privileges provide access control for server administration
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark independently from access control instructions.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Directory root users, such as <literal>cn=Directory Manager</literal>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark are granted privileges in the following list and marked with an asterisk (*)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark by default. Other administrator users can be assigned privileges, too.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Request a task to restore data from backup</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Perform operations without regard to lockdown mode</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
6246f851911b09f425ce43a128c1fc84f71840c1mark <varlistentry>
6246f851911b09f425ce43a128c1fc84f71840c1mark <listitem>
6246f851911b09f425ce43a128c1fc84f71840c1mark <para>Read the changelog (under <literal>cn=changelog</literal>)</para>
6246f851911b09f425ce43a128c1fc84f71840c1mark </listitem>
6246f851911b09f425ce43a128c1fc84f71840c1mark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Put OpenDJ into, and take OpenDJ out of, lockdown mode</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Search using a filter with no correponding index</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>* = default directory root user privileges</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For root directory administrators, by default <literal>cn=Directory
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Manager</literal>, you configure privileges using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For non-root directory administrators, you add privileges with
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Start <command>dsconfig</command> in interactive mode.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Edit the <literal>default-root-privilege-name</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Make sure you apply the changes when finished.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Add Privileges on an Individual Entry</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Privileges are specified using the <literal>ds-privilege-name</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operational attribute, which you can change on the command-line using
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: ds-privilege-name
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-privilege-name: config-read
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkds-privilege-name: password-reset</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This example lets the user read the server configuration, and reset
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user passwords. In order for the user to be able to change a user password,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you must also allow the modification using ACIs. For this example, Kirsten
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Vaughan is a member of the Directory Administrators group for Example.com,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and already has access to modify user entries.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Prior to having the privileges, Kirsten gets messages about
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark insufficent access when trying to read the server configuration, or
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark reset a user password.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword bribery \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN cn=config \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(objectclass=*)"</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>SEARCH operation failed
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkResult Code: 50 (Insufficient Access Rights)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAdditional Information: You do not have sufficient privileges to perform
08248b5c5b494aff8d1922e8e0b5777796d7450dmark search operations in the Directory Server configuration</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldappasswordmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword bribery \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --newPassword changeit</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>The LDAP password modify operation failed with result code 50
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkError Message: You do not have sufficient privileges to perform password
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkreset operations</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Apply the change as a user with the
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for uid=kvaughan,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkMODIFY operation successful for DN uid=kvaughan,ou=People,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>At this point, Kirsten can perform the operations requiring
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark privileges.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword bribery
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN cn=config
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(objectclass=*)"</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=config
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-cfg-return-bind-error-messages: false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-cfg-default-password-policy: cn=Default Password Policy,cn=Password Policies,
08248b5c5b494aff8d1922e8e0b5777796d7450dmark…</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldappasswordmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword bribery \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --newPassword changeit</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>The LDAP password modify operation was successful</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Add Privileges For a Group of Administrators</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For deployments with more than one administrator, you no doubt use
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a group to define adminstrative rights. You can use a collective attribute
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark subentry to specify privileges for the administrator group.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Collective attributes provide a standard mechanism for defining
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attributes that appear on all the entries in a particular subtree. OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark extends collective attributes to give you fine-grained control over the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark which entries in the subtree are targetted. Also, OpenDJ lets you use
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark virtual attributes, such as <literal>isMemberOf</literal> to construct the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark filter for targetting entries to which the collective attributes apply. This
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark allows you, for example, to define administrative privileges that apply to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark all users who belong to an administrator group.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create an LDAP subentry that specifies the collective attributes.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=Administrator Privileges,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: collectiveAttributeSubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: extensibleObject
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: subentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Administrator Privileges
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-privilege-name;collective: config-read
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-privilege-name;collective: config-write
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-privilege-name;collective: ldif-export
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-privilege-name;collective: modify-acl
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-privilege-name;collective: password-reset
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-privilege-name;collective: proxied-auth
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksubtreeSpecification: {base "ou=people", specificationFilter
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for cn=Administrator Privileges,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkADD operation successful for DN cn=Administrator Privileges,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The Directory Administrators group for Example.com includes members
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark like Kirsten Vaughan.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Observe that the change takes effect immediately.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldappasswordmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword bribery \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --newPassword changeit</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>The LDAP password modify operation was successful</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Access control instructions are defined in the data, as values for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>aci</literal> attributes. They can be imported in LDIF. They can
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark be modified over LDAP. Yet in order to make changes to ACIs users first
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark need the <literal>modify-acl</literal> privilege described previously.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark By default, only the root DN user has the <literal>modify-acl</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark privilege.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Global ACIs on <literal>cn=Access Control Handler,cn=config</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark can be set using the <command>dsconfig</command> command. Global ACIs have
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute type <literal>ds-cfg-global-aci</literal>. Modify global ACIs from
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the Access Control Handler menu in <command>dsconfig</command>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Default global ACIs set up the following access rules.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Users can employ LDAP controls and perform extended operations.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Anonymous read access is allowed for most user data attributes.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Users can read password values on their own entries after binding.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark (Also by default, password values are hashed.)</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Anonymous read access is allowed for schema-related operational
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attributes.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Anonymous read access is allowed for root DSE attributes describing
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark what the server supports.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Anonymous read access is allowed for operational attributes related
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to entry updates and entry identification.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Users with write access to add ACIs and with the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>ldapmodify</command> command to change ACIs located in user
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark data.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This section therefore focuses on ACI examples, rather than
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark demonstrating how to update the directory for each example. To update ACIs,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark either change them using the <command>ldapmodify</command> command, or
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark using OpenDJ Control Panel.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you use OpenDJ Control Panel, find the entry to modify in the Manage
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Entries window. Then try View > LDIF View to edit the entry. Control Panel
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark checks your syntax and lets you know if you made an error before it saves any
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark changes.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For hints on updating directory entries with
08248b5c5b494aff8d1922e8e0b5777796d7450dmark <command>ldapmodify</command>, see the section on <link xlink:show="new"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="admin-guide#modify-ldap"><citetitle>Modifying Entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Attributes</citetitle></link>, keeping in mind that the name of the ACI
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute is <literal>aci</literal> as shown in the examples that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark follow.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This works when the only attributes you do not want world-readable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark are password attributes.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaci: (target ="ldap:///dc=example,dc=com")(targetattr !=
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "authPassword || userPassword")(version 3.0;acl "Anonymous read-search access";
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark allow (read, search, compare)(userdn = "ldap:///anyone");)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </example>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <example xml:id="access-control-disable-anonymous"><?dbfo keep-together="auto"?>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>By default OpenDJ denies access unless an access control explicitly
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark allows access.<footnote><para>This does not apply to the directory root
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user, such as <literal>cn=Directory Manager</literal>, who bypasses
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ACIs.</para></footnote> However, OpenDJ also allows anonymous access by
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default to use some controls, to perform certain extended operations, to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark view root DSE operational attributes, to view directory schema definitions,
1fd4aba3a4b03e77a359b628db0a4b0f7a8d6df7mark to view some other operational attributes, and to perform compare and search
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operations.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>These default capabilities are defined on the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>global-aci</literal> property of the access control handler, which
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you can read by using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>dsconfig get-access-control-handler-prop</command> command.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark get-access-control-handler-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --property global-aci</userinput>
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark You can disable anonymous access either
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark by editing relevant <literal>global-aci</literal> properties,
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark or by using the global server configuration property,
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark Editing relevant <literal>global-aci</literal> properties
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark lets you take a fine-grained approach to limit anonymous access.
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark Setting <literal>reject-unauthenticated-requests:true</literal>
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark causes OpenDJ directory server to reject all requests
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark from clients who are not authenticated
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark except bind requests and StartTLS requests.
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark To take a fine-grained approach,
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark One of the most expedient ways to do this is to use the command interactively
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark on one OpenDJ directory server, capturing the output to a script with the
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark <option>--commandFilePath <replaceable>script</replaceable></option> option,
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark and then editing the script for use on other servers.
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark With this approach, you can
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark allow anonymous read access to the root DSE and to directory schemas
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark so that clients do not have to authenticate to discover server capabilities,
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark and also allow anonymous users access to some controls and extended operations.
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --commandFilePath /tmp/captured-global-aci-edits.sh</userinput>
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark# The dsconfig command runs interactively.
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark# Edit Access Control Handler, global-aci attributes replacing
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark# userdn="ldap:///anyone" (anonymous) with userdn="ldap:///all" (authenticated)
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark# in "Anonymous read access" and "User-Visible Operational Attributes" ACIs.
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark# To make this change, you first remove the existing values,
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark# then add the edited values, and finally apply the changes.
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark Make sure that you also set appropriate ACIs on any data that you import.
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark At this point, clients must authenticate to view search results for example.
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)"</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN uid=bjensen,ou=people,dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword hifalutin \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(uid=bjensen)" cn uid</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
5c7e914e0cb4486a6106dd1565f0451a730ad4a0markcn: Barbara Jensen
5c7e914e0cb4486a6106dd1565f0451a730ad4a0markcn: Babs Jensen
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkuid: bjensen</computeroutput>
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark You can download an example of the captured command,
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark <link xlink:href="http://opendj.forgerock.org/captured-global-aci-edits.sh"
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark To reject anonymous access except bind and StartTLS requests,
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark set <literal>reject-unauthenticated-requests:true</literal>.
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-global-configuration-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set reject-unauthenticated-requests:true</userinput>
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark Once you set the property, anonymous clients trying to search for example
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark get an <literal>Unwilling to Perform</literal> response from OpenDJ.
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)"</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>SEARCH operation failed
5c7e914e0cb4486a6106dd1565f0451a730ad4a0markResult Code: 53 (Unwilling to Perform)
5c7e914e0cb4486a6106dd1565f0451a730ad4a0markAdditional Information: Rejecting the requested operation
08248b5c5b494aff8d1922e8e0b5777796d7450dmark because the connection has not been authenticated</computeroutput>
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark In both cases, notice that the changes apply to
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark a single OpenDJ directory server configuration,
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark and so are not replicated to other servers.
5c7e914e0cb4486a6106dd1565f0451a730ad4a0mark You must instead apply the changes separately to each server.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </example>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Directory Administrators need privileges as well for full access to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark administrative operations.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaci: (target="ldap:///dc=example,dc=com") (targetattr =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "* || +")(version 3.0;acl "Admins can run amok"; allow(
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark all, proxy, import, export) groupdn =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice both <literal>targetattr = "* || +"</literal>, which permits
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark access to both all user attributes and all operational attributes, and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>allow(all, proxy, import, export)</literal>, which permits not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark only all user operations, but also proxy authorization as well as data
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark import and export operations.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </example>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>By default this capability is set in a global ACI.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "authPassword || userPassword")(version 3.0;acl "Allow users to change pass
08248b5c5b494aff8d1922e8e0b5777796d7450dmark words"; allow (write)(userdn = "ldap:///self");)
08248b5c5b494aff8d1922e8e0b5777796d7450dmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </example>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For some static groups such as carpoolers and social club members,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you might choose to let users manage their own memberships.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark targetattr = "member")(version 3.0;acl "Self registration"; allow(selfwrite)(
08248b5c5b494aff8d1922e8e0b5777796d7450dmark userdn = "ldap:///uid=*,ou=People,dc=example,dc=com");)
08248b5c5b494aff8d1922e8e0b5777796d7450dmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </example>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Let users create and delete self-managed groups.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark targattrfilters="add=objectClass:(objectClass=groupOfNames)")(version 3.0;
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark acl "All can create self service groups"; allow (add)(userdn= "
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ldap:///uid=*,ou=People,dc=example,dc=com");)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(version 3
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark .0; acl "Owner can delete self service groups"; allow (delete)(userattr= "
08248b5c5b494aff8d1922e8e0b5777796d7450dmark owner#USERDN");)
08248b5c5b494aff8d1922e8e0b5777796d7450dmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </example>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>ACI: Permit Clear Text Access Over Loopback Only</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This ACI uses IP address and Security Strength Factor subjects.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaci: (target = "ldap:///dc=example,dc=com")(targetattr =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "*")(version 3.0;acl "Use loopback only for LDAP in the clear"; deny (all)(
08248b5c5b494aff8d1922e8e0b5777796d7450dmark ip != "127.0.0.1" and ssf <= "1");)
08248b5c5b494aff8d1922e8e0b5777796d7450dmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <literal>ssf</literal> is one for example when using SSL but you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark have not configured a cipher, so the packets are checksummed for integrity
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark checking by all content is nevertheless sent in clear text.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </example>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Once you set up a number of ACIs, you might find it difficult to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark understand by inspection what rights a user actually has to a given entry.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The Get Effective Rights control can help.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The control OID, <literal>1.3.6.1.4.1.42.2.27.9.5.2</literal>, is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark not allowed by the default global ACIs.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In this example, Babs Jensen is the owner of a small group of people
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark who are willing to carpool.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword hifalutin \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "cn=*"</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: groupOfNames
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdescription: People who are willing to carpool
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkowner: uid=bjensen,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkcn: Carpoolers</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Performing the same search with the get effective rights control, and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark asking for the <literal>aclRights</literal> attribute, shows what rights
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Babs has on the entry.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --control effectiverights \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword hifalutin \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark aclRights</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaclRights;entryLevel: add:0,delete:1,read:1,write:0,proxy:0</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Requesting the <literal>aclRightsInfo</literal> attribute results in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark information about the ACIs applied to arrive at the results.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --control effectiverights \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword hifalutin \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark aclRights \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark aclRightsInfo</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on e
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ntry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, objectClas
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark s) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: evaluat
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ed allow , deciding_aci: Anonymous read-search access)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark matched the subject )
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL) to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis matc
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark hed the subject )
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaclRightsInfo;logs;entryLevel;delete: acl_summary(main): access allowed(delete)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: evaluated
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark allow , deciding_aci: Owner can delete self service groups)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaclRights;entryLevel: add:0,delete:1,read:1,write:0,proxy:0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis
08248b5c5b494aff8d1922e8e0b5777796d7450dmark matched the subject )</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can also request the effective rights for another user by using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <option>--getEffectiveRightsAuthzid</option> (short form: <option>-g</option>)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark option, which takes the authorization identity of the other user as an
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark argument. The following example shows Directory Manager checking anonymous
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user rights to the same entry. Notice that the authorization identity for an
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark anonymous user is expressed as <literal>"dn:"</literal>.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --getEffectiveRightsAuthzid "dn:" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN "ou=Self Service,ou=groups,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "cn=*" aclRightsInfo</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on e
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ntry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, objectClas
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark s) to (anonymous) (not proxied) ( reason: evaluated allow , deciding_aci: Anony
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark mous read-search access)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ) to (anonymous) (not proxied) ( reason: no acis matched the subject )
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL) to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark (anonymous) (not proxied) ( reason: no acis matched the subject )
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaclRightsInfo;logs;entryLevel;delete: acl_summary(main): access not allowed(dele
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark te) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NU
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark LL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
08248b5c5b494aff8d1922e8e0b5777796d7450dmark ) to (anonymous) (not proxied) ( reason: no acis matched the subject )</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When you need to check access to an attribute that might not yet exist
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark on the entry, you can further use the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <option>--getEffectiveRightsAttribute</option> (short form:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <option>-e</option>) option, which takes an attribute list as an argument.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The following example shows Directory Manager checking anonymous user
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark access to the description attribute for the Self Service groups organizational
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark unit entry. The description attribute is not present on the entry, yet.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN "ou=Self Service,ou=groups,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "ou=Self Service" description</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: ou=Self Service,ou=Groups,dc=example,dc=com</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --getEffectiveRightsAuthzid "dn:" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --getEffectiveRightsAttribute description \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN "ou=Self Service,ou=groups,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "ou=Self Service" aclRights</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: ou=Self Service,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaclRights;attributeLevel;description: search:1,read:1,compare:1,write:0,selfwrit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark e_add:0,selfwrite_delete:0,proxy:0
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkaclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>