Default Acis - Netscape DIRECTORY SERVER 6.2 - ADMINISTRATOR Administrator's Manual

If you create target filters or bind rules that depend on the value of attributes
generated by CoS, the access control rule will not work. For more information
on CoS, see Chapter 5, "Advanced Entry Management."
• Access control rules are always evaluated on the local server. Therefore, it is
not necessary to specify the hostname or port number of the server in LDAP
URLs used in ACI keywords. If you do, the LDAP URL will not be taken into
account at all. For more information on LDAP URLs, see Appendix C, "LDAP
URLs."

Default ACIs

When you install the Directory Server, the following default ACIs apply to your
directory information stored in the
• Users can modify a list of common attributes in their own entries. Those
attributes include, for example,
seeAlso
aci
the users.
• Users have anonymous access to the directory for search, compare, and read
operations.
• The administrator (by default
ou=TopologyManagement,o=NetscapeRoot
• All members of the Configuration Administrators group have all rights except
proxy rights.
• All members of the Directory Administrators group have all rights except
proxy rights.
• SIE group.
Whenever you create a new database in the directory, the top entry has the default
ACIs listed above.
The
NetscapeRoot
• All members of the Configuration Administrators group have all rights on the
NetscapeRoot
• Users have anonymous access to the
operations.
, and so on. Operational and most of the security attributes such as
, ,
nsroledn passwordExpirationTime
subtree has its own set of default ACIs:
subtree except proxy rights.
database:
userRoot
,
mail telephoneNumer
, and so on can't be modified by
uid=admin,ou=Administrators,
) has all rights except proxy rights.
NetscapeRoot
Chapter 6
Default ACIs
, ,
userPassword
subtree for search and read
Managing Access Control 199