Viewing the ACIs for an Entry254 Netscape Directory Server Administrator’s Guide • August 2002Viewing the ACIs for an EntryYou can view all the ACIs under a single suffix in the directory by running thefollowing ldapsearch command:ldapsearch -h host -p port -b baseDN -D rootDN -w rootPassword (aci=*) aciSee Netscape Directory Server Configuration, Command, and File Reference forinformation on using the ldapsearch utility.From the Console, you can view all of the ACIs that apply to a particular entrythrough the Access Control Manager.1. In the Directory Console, on the Directory tab, right-click the entry in thenavigation tree, and select Set Access Permissions.The Access Control Manager is displayed. It contains a list of the ACIsbelonging to the selected entry.2. Check the Show Inherited ACIs checkbox to display all ACIs created on entriesabove the selected entry that also apply.Advanced Access Control: Using Macro ACIsIn organizations that use repeating directory tree structures, it is possible tooptimize the number of ACIs used in the directory by using macros. Reducing thenumber of ACIs in your directory tree makes it easier to manage your accesscontrol policy, and improves the efficiency of ACI memory usage.Macros are placeholders that are used to represent a DN, or a portion of a DN, inan ACI. You can use a macro to represent a DN in the target portion of the ACI, orin the bind rule portion, or both. In practice, when Directory Server gets anincoming LDAP operation, the ACI macros are matched against the resourcetargeted by the LDAP operation. If there is a match, the macro is replaced by thevalue of the DN of the targeted resource. Directory Server then evaluates the ACInormally.NOTE You cannot use the directory manager’s DN (Root DN) as a proxyDN. In addition, if Directory Server receives more than one proxiedauthentication control, an error is returned to the client applicationand the bind attempt is unsuccessful.