18.8. Adding an ACI
18.8.1. Adding an ACI Using the Command Line
ldapmodifyutility to add an ACI. For example:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (targetattr="userPassword") (version 3.0; acl "Allow users updating their password"; allow (write) userdn= "ldap:///self";)
18.8.2. Adding an ACI Using the Console
- Open the Directory Server Console.
- On the Directory tab, right-click the entry, and select Set Access Permissions
- Enter the name of the ACI into the ACI Name field.
- On the Users tab, optionally add users, groups, roles, administrators, or special rights to the list by clicking the button:
- Enter a string into the Search for field, select a search area, and click .
- Select the entry from the search results and click.
- On the Rights tab, select the permissions to set in this ACI.
- On the Targets tab, select the target directory entry.
NoteYou can change the value of the target DN, but the new DN must be a direct or indirect child of the selected entry.If you do not want ACIs to target every entry in the sub-tree under this node, enter a filter in the Filter for Sub-entries field. The filter applies to every entry below the target entry. For example, setting the filter to
ou=Salesmeans that only entries with
ou=Salesin their DN are returned.Additionally, you can restrict the scope of the ACI to certain attributes by selecting the attributes in the list.
- On the Hosts tab, optionally add a DNS name or IP address.If you set a DNS name or IP address, the ACI applies only to LDAP operations from these hosts.
- On the Times tab, optionally select at which times the ACI will be applied.By default, access is allowed at all times. Change the access times by clicking and dragging the cursor over the table. Note that you can only select continuous time ranges.