Draft - ACI Based Access Control - Step by Step Guide
Task 1: Allow all users to search/browse the directory content (except passwords).
{
identificationTag "allUsersACI",
precedence 10,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses { allUsers },
userPermissions
{
{
precedence 10,
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials
{
grantFilterMatch,
grantBrowse,
grantReturnDN,
grantRead,
grantCompare,
grantDiscloseOnError
}
}
,
{
precedence 10,
protectedItems
{
attributeType { userpassword }
}
,
grantsAndDenials
{
denyRead,
denyCompare,
denyFilterMatch
}
}
}
}
}
Task 2: Allow all users to read/modify their passwords (and not anyone else's). Also restrict number of passwords to 1 for each user.
{
identificationTag "selfControlPasswordACI",
precedence 12,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses { thisEntry },
userPermissions
{
{
precedence 12,
protectedItems { entry },
grantsAndDenials { grantModify }
}
,
{
precedence 12,
protectedItems
{
maxValueCount
{
{ type userPassword, maxCount 1 }
}
,
allAttributeValues { userpassword }
}
,
grantsAndDenials
{
grantRemove,
grantAdd,
grantRead
}
}
,
{
precedence 12,
protectedItems
{
attributeType { userpassword }
}
,
grantsAndDenials { grantRead }
}
}
}
}