Draft - ACI Based Access Control - Step by Step Guide
Task 1: Allow all users to search/browse the directory content (except passwords).
{ identificationTag "allUsersACI", precedence 10, authenticationLevel simple, itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { { precedence 10, protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials { grantFilterMatch, grantBrowse, grantReturnDN, grantRead, grantCompare, grantDiscloseOnError } } , { precedence 10, protectedItems { attributeType { userpassword } } , grantsAndDenials { denyRead, denyCompare, denyFilterMatch } } } } }
Task 2: Allow all users to read/modify their passwords (and not anyone else's). Also restrict number of passwords to 1 for each user.
{ identificationTag "selfControlPasswordACI", precedence 12, authenticationLevel simple, itemOrUserFirst userFirst: { userClasses { thisEntry }, userPermissions { { precedence 12, protectedItems { entry }, grantsAndDenials { grantModify } } , { precedence 12, protectedItems { maxValueCount { { type userPassword, maxCount 1 } } , allAttributeValues { userpassword } } , grantsAndDenials { grantRemove, grantAdd, grantRead } } , { precedence 12, protectedItems { attributeType { userpassword } } , grantsAndDenials { grantRead } } } } }