18.8. Adding an ACI

This section describes how you can add an ACI.

18.8.1. Adding an ACI Using the Command Line

Use the ldapmodify utility to add an ACI. For example: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="userPassword") (version 3.0; acl "Allow users updating their password";
 allow (write) userdn= "ldap:///self";)

18.8.2. Adding an ACI Using the Console

To use the console to add an ACI:
  1. Open the Directory Server Console.
  2. On the Directory tab, right-click the entry, and select Set Access Permissions
  3. Enter the name of the ACI into the ACI Name field.
  4. On the Users tab, optionally add users, groups, roles, administrators, or special rights to the list by clicking the Add button:
    1. Enter a string into the Search for field, select a search area, and click Search.
    2. Select the entry from the search results and click Add.
    3. Click OK.
  5. On the Rights tab, select the permissions to set in this ACI.
  6. On the Targets tab, select the target directory entry.

    Note

    You can change the value of the target DN, but the new DN must be a direct or indirect child of the selected entry.
    If you do not want ACIs to target every entry in the sub-tree under this node, enter a filter in the Filter for Sub-entries field. The filter applies to every entry below the target entry. For example, setting the filter to ou=Sales means that only entries with ou=Sales in their DN are returned.
    Additionally, you can restrict the scope of the ACI to certain attributes by selecting the attributes in the list.
  7. On the Hosts tab, optionally add a DNS name or IP address.
    If you set a DNS name or IP address, the ACI applies only to LDAP operations from these hosts.
  8. On the Times tab, optionally select at which times the ACI will be applied.
    By default, access is allowed at all times. Change the access times by clicking and dragging the cursor over the table. Note that you can only select continuous time ranges.
  9. Click OK.

Note

At any point of creating an ACI, click the Edit Manually button to display the LDIF statement corresponding to the wizard input. You can edit this statement in this window, however, the changes may not be visible in the graphical interface.