Permissions Syntax - Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

Creating ACIs Manually
H
H
H
• Comparing the value of an attribute:
H
• Searching for entries:
H
H
The permissions you need to set up to allow users to search the directory are more
readily understood with an example. Consider the following
operation:
% ldapsearch -h host -s base -b "uid=bjensen,dc=example,dc=com"
objectclass=* mail
The following ACI is used to determine whether user
access:
aci: (targetattr = "mail")(version 3.0; acl "self access to
mail"; allow (read, search) userdn = "ldap:///self";)
The search result list is empty because this ACI does not grant access to the
objectclass
successful, you must modify the ACI to read as follows:
aci: (targetattr = "mail || objectclass")(version 3.0; acl "self
access to mail"; allow (read, search) userdn = "ldap:///self";)

Permissions Syntax

In an ACI statement, the syntax for permissions is:
allow|deny (rights)
where
parentheses. Valid keywords are
selfwrite
In the following example, read, search, and compare access is allowed, provided
the bind rule is evaluated to be true:
218 Red Hat Directory Server Administrator's Guide • May 2005
Grant write permission on the attribute type used in the new RDN.
Grant write permission on the attribute type used in the old RDN, if you
want to grant the right to delete the old RDN.
Grant write permission on the value of attribute type used in the new
RDN. This right is granted by default but could be restricted using the
keyword.
targattrfilters
Grant compare permission on the attribute type.
Grant search permission on each attribute type used in the search filter.
Grant read permission on attribute types used in the entry.
attribute. If you want the search operation described above to be
is a list of 1 to 8 comma-separated keywords enclosed within
rights
, , or .
proxy all
bkolics
, , ,
read write add delete
ldapsearch
can be granted
, , ,
search compare