Access Control Usage Examples244 Red Hat Directory Server Administrator’s Guide • May 2005Granting Anonymous AccessMost directories are run such that you can anonymously access at least one suffixfor read, search, or compare. For example, you might want to set thesepermissions if you are running a corporate personnel directory that you wantemployees to be able to search, such as a phonebook. This is the case atexample.com internally and is illustrated in the ACI “Anonymous example.com”example.As an ISP, example.com also wants to advertise the contact information of all ofits subscribers by creating a public phonebook accessible to the world. This isillustrated in the ACI “Anonymous World” example.ACI “Anonymous example.com”In LDIF, to grant read, search, and compare permissions to the entireexample.com tree to example.com employees, you would write the followingstatement:aci: (targetattr !="userPassword")(version 3.0; acl "AnonymousExample"; allow (read, search, compare) userdn= "ldap:///anyone"and dns="*.example.com";)This example assumes that the aci is added to the dc=example,dc=com entry. TheuserPassword attribute is excluded from the scope of the ACI.From the Console, you can set this permission by doing the following:1. In the Directory tab, right click the example.com node in the left navigationtree, and choose Set Access Permissions from the pop-up menu to display theAccess Control Manager.2. Click New to display the Access Control Editor.3. In the Users/Groups tab in the ACI name field, type Anonymousexample.com. Check that All Users is displayed in the list of users grantedaccess permission.4. In the Rights tab, tick the checkboxes for read, compare, and search rights.Make sure the other checkboxes are clear.5. In the Targets tab, click This Entry to display the dc=example,dc=com suffixin the target directory entry field. In the attribute table, locate theuserPassword attribute, and clear the corresponding checkbox.All other checkboxes should be ticked. This task is made easier if you click theName header to organize the list of attributes alphabetically.
