18.2. ACI Placement
acioperational attribute in directory entries. To set an ACI, add the
acito the corresponding directory entry. Directory Server applies the ACIs:
- Only to the entry that contains the ACI, if it does not have any child entries.For example, if a client requires access to the
uid=user_name,ou=People,dc=example,dc=comobject, and an ACI is only set on
dc=example,dc=comand not on any child entries, only this ACI is applied.
- To the entry that contains the ACI and to all entries below it, if it has child entries. As a direct consequence, when the server evaluates access permissions to any given entry, it verifies the ACIs for every entry between the one requested and the directory suffix, as well as the ACIs on the entry itself.For example, ACIs are set on the
ou=People,dc=example,dc=comentry. If a client wants to access the
uid=user_name,ou=People,dc=example,dc=comobject, which has no ACI set, Directory Server first validates the ACI on the
dc=example,dc=comentry. If this ACI grants access, Directory Server then verifies the ACI on
ou=People,dc=example,dc=com. If this ACI successfully authorizes the client, they can access the object.
rootDSEentry apply only to this entry.
inetOrgPersonobject class can be created at the level of an
organizationalUnitentry or a