Default Acis - Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

If you create target filters or bind rules that depend on the value of attributes
generated by CoS, the access control rule will not work. For more information
on CoS, see chapter 5, "Advanced Entry Management."
• Access control rules are always evaluated on the local server. Therefore, it is
not necessary to specify the hostname or port number of the server in LDAP
URLs used in ACI keywords. If you do, the LDAP URL will not be taken into
account at all. For more information on LDAP URLs, see Appendix C, "LDAP
URLs."

Default ACIs

When you install the Directory Server, the following default ACIs apply to your
directory information stored in the
• Users can modify a list of common attributes in their own entries. Those
attributes include
Operational and most of the security attributes, such as
passwordExpirationTime
• Users have anonymous access to the directory for search, compare, and read
operations.
• The administrator (by default
ou=TopologyManagement,o=NetscapeRoot
• All members of the Configuration Administrators group have all rights except
proxy rights.
• All members of the Directory Administrators group have all rights except
proxy rights.
• SIE (Server Instance Entry) group.
Whenever you create a new database in the directory, the top entry has the default
ACIs listed above.
The
NetscapeRoot
• All members of the Configuration Administrators group have all rights on the
NetscapeRoot
• Users have anonymous access to the
operations.
• Group expansion.
userRoot
,
mail telephoneNumer
, can't be modified by the users.
uid=admin,ou=Administrators,
subtree has its own set of default ACIs:
subtree except proxy rights.
database:
, ,
userPassword
aci
) has all rights except proxy rights.
subtree for search and read
NetscapeRoot
Chapter 6
Default ACIs
, and so on.
seeAlso
, , and
nsroledn
Managing Access Control 205