Table of Contents
Advertisement
•
Access control rules are always evaluated on the local server. Therefore, it is
not necessary to specify the hostname or port number of the server in LDAP
URLs used in ACI keywords. If you do, the LDAP URL will not be taken into
account at all. For more information on LDAP URLs, see Appendix C, "LDAP
URLs."
Default ACIs
When you install the Directory Server, the following default ACIs apply to your
directory information stored in the
•
Users can modify their own entry in the directory, but not delete it. They
cannot modify the
•
Users have anonymous access to the directory for search, compare, and read
operations.
•
The administrator (by default
ou=TopologyManagement,o=NetscapeRoot
•
All members of the Configuration Administrators group have all rights except
proxy rights.
•
All members of the Directory Administrators group have all rights except
proxy rights.
•
SIE group.
Whenever you create a new database in the directory, the top entry has the default
ACIs listed above.
The NetscapeRoot subtree has its own set of default ACIs:
•
All members of the Configuration Administrators group have all rights on the
NetscapeRoot subtree except proxy rights.
•
Users have anonymous access to the NetscapeRoot subtree for search and read
operations.
•
Group expansion.
•
All authenticated users have search, compare, and read rights to configuration
attributes that identify the administration server.
The following sections explain how to modify these default settings to suit the
needs of your organization.
userRoot
and
attributes.
aci
nsroledn
uid=admin,ou=Administrators,
database:
) has all rights except proxy rights.
Chapter 6
Managing Access Control
Default ACIs
193
Advertisement
Table of Contents
