Netscape DIRECTORY SERVER 6.2 - ADMINISTRATOR Administrator's Manual page 255

In order for the client application to gain access to the Accounting subtree (using
the same access permissions as the Accounting Administrator):
• The Accounting Administrator must have access permissions to the
ou=Accounting,dc=example,dc=com
ACI grants all rights to the Accounting Administrator entry:
aci: (target="ldap:///ou=Accounting,dc=example,dc=com")
(targetattr="*") (version 3.0; acl "allowAll-AcctAdmin"; allow
(all)
userdn="ldap://uid=AcctAdministrator,ou=Administrators,dc=exampl
e,dc=com")
• The following ACI granting proxy rights to the client application must exist in
the directory:
aci: (target="ldap:///ou=Accounting,dc=example,dc=com")
(targetattr="*") (version 3.0; acl
"allowproxy-accountingsoftware"; allow (proxy)
userdn="ldap://uid=MoneyWizAcctSoftware,ou=Applications,dc=exampl
e,dc=com")
With this ACI in place, the
the directory and send an LDAP command such as
that requires the access rights of the proxy DN.
In the above example, if the client wanted to perform an
the command would include the following controls:
#ldapmodify -D "uid=MoneyWizAcctSoftware,
ou=Applications,dc=example,dc=com" -w secretpwd
-y "uid=AcctAdministrator,ou=Administrators,dc=example,dc=com"
Note that the client or application (
granted the privileges of the proxy entry (
need the password of the proxy entry.
You cannot use the directory manager's DN (Root DN) as a proxy
NOTE
DN. In addition, if Directory Server receives more than one
proxied authentication control, an error is returned to the client
application and the bind attempt is unsuccessful.
subtree. For example, the following
MoneyWizAcctSoftware
MoneyWizAcctSoftware
AcctAdministartor
Access Control Usage Examples
client application can bind to
or
ldapsearch ldapmodify
command,
ldapsearch
) binds as itself, but is
). The client does not
Chapter 6 Managing Access Control 255