Netscape DIRECTORY SERVER 6.01 - ADMINISTRATOR Administrator's Manual page 238

Access Control Usage Examples
d.
On the Rights tab, tick the checkbox for add. Make sure the other checkboxes
4.
are clear.
On the Targets tab, click This Entry to display the
5.
dc=example,dc=com
On the Hosts tab, click Add to display the Add Host Filter dialog box. In the
6.
DNS host filter field, type
To create the value-based filter that will allow employees to add only group
7.
entries to this subtree, switch to manual editing by clicking the Edit Manually
button. Add the following to the beginning of the LDIF statement:
(targattrfilters="add=objectClass:(objectClass=groupOfNames)")
The LDIF statement should read as follows:
(targattrfilters="add=objectClass:(objectClass=groupOfNames)")
(targetattr = "*") (target="ldap:///ou=social
committee,dc=example,dc=com) (version 3.0; acl "Create Group";
allow (read,search,add) (userdn= "ldap:///all") and
(dns="*.example.com"); )
Click OK.
8.
The new ACI is added to the ones listed in the Access Control Manager
window.
ACI "Delete Group"
In LDIF, to grant
entry which they own under the
the following statement:
aci: (target="ou=social committee,dc=example,dc=com)
(targattrfilters="del=objectClass:(objectClass=groupOfNames)")
(version 3.0; acl "Delete Group"; allow (delete) userattr=
"owner#GROUPDN";)
This example assumes that the
dc=example,dc=com
Using the Console is not an effective way of creating this ACI because you would
have to use manual editing mode to create the target filter, and to check group
ownership.
238 Netscape Directory Server Administrator's Guide • January 2002
Click OK to dismiss the Add Users and Groups dialog box.
suffix in the target directory entry field.
example.com
entry.
. Click OK to dismiss the dialog box.
*.example.com
employees the right to modify or delete a group
ou=Social Comittee branch
is added to the
aci ou=social committee,
ou=social committee,
, you would write