Show Table of Contents
18.8. Adding an ACI
This section describes how you can add an ACI.
18.8.1. Adding an ACI Using the Command Line
Use the
ldapmodify utility to add an ACI. For example:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (targetattr="userPassword") (version 3.0; acl "Allow users updating their password"; allow (write) userdn= "ldap:///self";)
18.8.2. Adding an ACI Using the Console
To use the console to add an ACI:
- Open the Directory Server Console.
- On the Directory tab, right-click the entry, and select Set Access Permissions
- Enter the name of the ACI into the ACI Name field.
- On the Users tab, optionally add users, groups, roles, administrators, or special rights to the list by clicking the button:
- Enter a string into the Search for field, select a search area, and click .
- Select the entry from the search results and click .
- Click .
- On the Rights tab, select the permissions to set in this ACI.
- On the Targets tab, select the target directory entry.
Note
You can change the value of the target DN, but the new DN must be a direct or indirect child of the selected entry.If you do not want ACIs to target every entry in the sub-tree under this node, enter a filter in the Filter for Sub-entries field. The filter applies to every entry below the target entry. For example, setting the filter toou=Salesmeans that only entries withou=Salesin their DN are returned.Additionally, you can restrict the scope of the ACI to certain attributes by selecting the attributes in the list. - On the Hosts tab, optionally add a DNS name or IP address.
If you set a DNS name or IP address, the ACI applies only to LDAP operations from these hosts. - On the Times tab, optionally select at which times the ACI will be applied.
By default, access is allowed at all times. Change the access times by clicking and dragging the cursor over the table. Note that you can only select continuous time ranges. - Click .
Note
At any point of creating an ACI, click the Edit Manually button to display the LDIF statement corresponding to the wizard input. You can edit this statement in this window, however, the changes may not be visible in the graphical interface.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.