Access control rules can also be defined in the server configuration and in
particular in the
global-aci property of the access control handler
This should generally be limited to access control rules that meet one or more of the following criteria:
- They need to apply to entries in backends other than those containing user
data. This includes the root DSE, the server configuration, monitor entries, the
LDAP changelog, administrative tasks, and other areas of the server. If these ACIs
apply to data in a specific backend, then the
targetkeyword should be used to limit the scope of the rule.
- They need to apply to one or more extended operations (using the
extoptarget). ACIs that grant or deny access to extended operations must be defined in the global configuration.
- They need to apply to request controls (using the
targetcontroltarget). Although it might be possible to define ACIs pertaining to request controls in user data (especially if those controls are only expected to be used when issuing requests targeting user data), ACIs pertaining to request controls are commonly placed in the global configuration.
For example, the following configuration change can be used to define a global ACI that grants members of the “Changelog Readers” group permission to read entries in the LDAP changelog.
dsconfig set-access-control-handler-prop --add 'global-aci:(target="ldap:///cn=changelog")(version 3.0; acl "Allow changelog read access"; allow (read,search,compare) groupdn="ldap:///ou=Changelog Readers,ou=Groups,dc=example,dc=com";)'