The following ACIs allow anonymous read, search, and compare on select attributes of
inetOrgPerson
entries while authenticated users can access several
more. An authenticated user inherits the privileges of the anonymous ACI and can also
change userPassword
.
aci: (targetattr="objectclass || uid || cn || mail || sn || givenName")(targetfilter="(objectClass=inetorgperson)")
(version 3.0; acl "Anyone can access names and email addresses of entries representing people";
allow (read,search,compare) userdn="ldap:///anyone";)
aci: (targetattr="departmentNumber || manager || isMemberOf")(targetfilter="(objectClass=inetorgperson)")
(version 3.0; acl "Authenticated users can access these fields for entries representing people";
allow (read,search,compare) userdn="ldap:///all";)
aci: (targetattr="userPassword")(version 3.0; acl "Authenticated users can change password";
allow (write) userdn="ldap:///all";)
To prevent anonymous access to the directory server, set the global configuration
property reject-unauthenticated-requests to
true
.