Examples - PingDirectory

Use Cases

bundle

solution-guides

ft:publication_title

Use Cases

Product_Version_ce

category

ContentType

howtodoc

ContentType_ce

How-to

The following is a sample list of group based ACIs that might be created for an OU that contains employee accounts:

dn: ou=people,ou=internal,dc=example,dc=com

aci: (target = 
"ldap:///ou=people,ou=internal,dc=example,dc=com")(targetattr = "* || +") (version 3.0; acl "IP1 read internal people ou"; allow 
(search,read,compare) 
(groupdn="ldap:///cn=ADM-InternalPeopleRead,ou=groups,ou=admins,dc=example,dc=com");)

aci: (target = 
"ldap:///ou=people,ou=internal,dc=example,dc=com")(targetattr != "userpassword || authpassword") (version 3.0; acl "IP2 write internal people"; allow (write) (groupdn="ldap:///cn=ADM-InternalPeopleUpdate,ou=groups,ou=admins,dc=example,dc=com");)

aci: (target = "ldap:///ou=people,ou=internal,dc=example,dc=com")(targetattr = "userpassword || authpassword") (version 3.0; acl "IP3 password update internal people"; allow (write) 
(groupdn="ldap:///cn=ADM-InternalPeoplePwdReset,ou=groups,ou=admins,dc=example,dc=com");)

aci: (target = "ldap:///ou=people,ou=internal,dc=example,dc=com") (version 3.0; acl "IP4 add internal people"; allow (add) 
(groupdn="ldap:///cn=ADM-InternalPeopleAdd,ou=groups,ou=admins,dc=example,dc=com");)

aci: (target = "ldap:///ou=people,ou=internal,dc=example,dc=com") (version 3.0; acl "IP5 delete internal people"; allow (delete) 
(groupdn="ldap:///cn=ADM-InternalPeopleDel,ou=groups,ou=admins,dc=example,dc=com");)

aci: (target = "ldap:///ou=people,ou=internal,dc=example,dc=com") (version 3.0; acl "IP6 move branch internal people"; allow 
(import,export) 
(groupdn="ldap:///cn=ADM-InternalPeopleModDN,ou=groups,ou=admins,dc=example,dc=com");)

In this example, if we wanted to give the help desk the ability to search for user accounts, read user accounts, and reset passwords, we would place the help desk users into the following groups (either directly or, more likely, by creating a help desk group and nesting it into these groups):

ADM-InternalPeopleRead
ADM-InternalPeoplePwdReset

With descriptive group names, this makes the determination of a user’s rights to the directory intuitively obvious.

One further item to note is that the ACI that grants write access to userPassword (IP3) will need to be used in conjunction with the password-reset privilege before the help desk user can reset an employee’s password. In the Privileges best practices section, there is an example virtual attribute that is used to assign the password-reset privilege to users that are direct or indirect members of the group ADM-PasswordReset.

To enable help desk users to reset the passwords of employees, those help desk users would need to be added to ADM-InternalPeoplePwdReset, which grants write access to userPassword. Then you would need to nest the ADM-InternalPeoplePwdReset group into the ADM-PasswordReset group that is used by that virtual attribute, which will grant those help desk users the password-reset privilege.