Default Acis - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

However, you can match values stored in the target entry with values stored in the entry of the bind
user; for example, using the userattr keyword. Access is evaluated normally even if the bind user
does not have an entry on the server that holds the ACI.
For more information on how to chain access control evaluation, see
and Access Control
• Attributes generated by class of service (CoS) cannot be used in all ACI keywords. Specifically, you
should not use attributes generated by CoS with the following keywords:
(Section 6.3.2.4, "Targeting Entries or Attributes Using LDAP
• targetfilter
(Section 6.3.2.2, "Targeting
• targattrfilters
(Section 6.4.5.1, "Using the userattr
• userattr
If you create target filters or bind rules that depend on the value of attributes generated by CoS, the
access control rule will not work. For more information on CoS, see
with Roles, Classes of Service, and
• Access control rules are always evaluated on the local server. Therefore, it is not necessary to
specify the hostname or port number of the server in LDAP URLs used in ACI keywords. If you
do, the LDAP URL is not taken into account at all. For more information on LDAP URLs, see
Appendix C, LDAP URLs.

6.2. Default ACIs

When the Administration Server is set up, the following default ACIs apply to the directory information
stored in the userRoot database:
• Users can modify a list of common attributes in their own entries, including the mail,
telephoneNumber, userPassword, and seeAlso attributes. Operational and most of the
security attributes, such as aci, nsroledn, and passwordExpirationTime, cannot be modified
by users.
• Users have anonymous access to the directory for search, compare, and read operations.
• The administrator (by default uid=admin,ou=Administrators,
ou=TopologyManagement,o=NetscapeRoot) has all rights except proxy rights.
• All members of the Configuration Administrators group have all rights except proxy rights.
• All members of the Directory Administrators group have all rights except proxy rights.
• Server Instance Entry (SIE) group.
The NetscapeRoot subtree has its own set of default ACIs:
• All members of the Configuration Administrators group have all rights on the
NetscapeRoot subtree except proxy rights.
• Users have anonymous access to the NetscapeRoot subtree for search and read operations.
• All authenticated users have search, compare, and read rights to configuration attributes that
identify the Administration Server.
Evaluation".
Views.
Attributes")
Keyword")
Default ACIs
Section 3.3.5, "Database Links
Filters")
Chapter 5, Managing Entries
145