The following is a sample list of group based ACIs that might be created for an OU that contains employee accounts:
dn: ou=people,ou=internal,dc=example,dc=com
aci: (target =
"ldap:///ou=people,ou=internal,dc=example,dc=com")(targetattr = "* || +") (version 3.0; acl "IP1 read internal people ou"; allow
(search,read,compare)
(groupdn="ldap:///cn=ADM-InternalPeopleRead,ou=groups,ou=admins,dc=example,dc=com");)
aci: (target =
"ldap:///ou=people,ou=internal,dc=example,dc=com")(targetattr != "userpassword || authpassword") (version 3.0; acl "IP2 write internal people"; allow (write) (groupdn="ldap:///cn=ADM-InternalPeopleUpdate,ou=groups,ou=admins,dc=example,dc=com");)
aci: (target = "ldap:///ou=people,ou=internal,dc=example,dc=com")(targetattr = "userpassword || authpassword") (version 3.0; acl "IP3 password update internal people"; allow (write)
(groupdn="ldap:///cn=ADM-InternalPeoplePwdReset,ou=groups,ou=admins,dc=example,dc=com");)
aci: (target = "ldap:///ou=people,ou=internal,dc=example,dc=com") (version 3.0; acl "IP4 add internal people"; allow (add)
(groupdn="ldap:///cn=ADM-InternalPeopleAdd,ou=groups,ou=admins,dc=example,dc=com");)
aci: (target = "ldap:///ou=people,ou=internal,dc=example,dc=com") (version 3.0; acl "IP5 delete internal people"; allow (delete)
(groupdn="ldap:///cn=ADM-InternalPeopleDel,ou=groups,ou=admins,dc=example,dc=com");)
aci: (target = "ldap:///ou=people,ou=internal,dc=example,dc=com") (version 3.0; acl "IP6 move branch internal people"; allow
(import,export)
(groupdn="ldap:///cn=ADM-InternalPeopleModDN,ou=groups,ou=admins,dc=example,dc=com");)
In this example, if we wanted to give the help desk the ability to search for user accounts, read user accounts, and reset passwords, we would place the help desk users into the following groups (either directly or, more likely, by creating a help desk group and nesting it into these groups):
ADM-InternalPeopleRead
ADM-InternalPeoplePwdReset
With descriptive group names, this makes the determination of a user’s rights to the directory intuitively obvious.
One further item to note is that the ACI that grants write access to
userPassword
(IP3) will need to be used in conjunction with the
password-reset
privilege before the help desk user can reset an
employee’s password. In the Privileges best practices section, there is an example
virtual attribute that is used to assign the password-reset
privilege to users that are direct or indirect members of the group
ADM-PasswordReset
.
To enable help desk users to reset the passwords of employees, those help desk users
would need to be added to ADM-InternalPeoplePwdReset
, which grants
write access to userPassword
. Then you would need to nest the
ADM-InternalPeoplePwdReset
group into the
ADM-PasswordReset
group that is used by that virtual attribute,
which will grant those help desk users the password-reset
privilege.