Access Control Usage ExamplesChapter 6 Managing Access Control 2578. To enforce SSL authentication from HostedCompany1 administrators, switch tomanual editing by clicking the Edit Manually button. Add the following to theend of the LDIF statement:and (authmethod="ssl")The LDIF statement should be similar to:aci: (targetattr = "*")(target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc=com") (version 3.0; acl "HostedCompany1"; allow (all)(roledn="ldap:///cn=DirectoryAdmin,ou=HostedCompany1,ou=corporate-clients, dc=example,dc=com") and (dayofweek="Mon,Tues,Wed,Thu")and (timeofday >= "0800" and timeofday <= "1800") and(ip="255.255.123.234") and (authmethod="ssl"); )9. Click OK.The new ACI is added to the ones listed in the Access Control Managerwindow.Denying AccessIf your directory holds business-critical information, you might specifically want todeny access to it.For example, example.com wants all subscribers to be able to read billinginformation such as connection time or account balance under their own entriesbut explicitly wants to deny write access to that information. This is illustrated inACI “Billing Info Read” and ACI “Billing Info Deny,” respectively.ACI “Billing Info Read”In LDIF, to grant subscribers permission to read billing information in their ownentry, you would write the following statement:aci: (targetattr="connectionTime || accountBalance") (version3.0; acl "Billing Info Read"; allow (search,read) userdn="ldap:///self";)This example assumes that the relevant attributes have been created in the schemaand that the ACI is added to the ou=subscribers,dc=example,dc=com entry.From the Console, you can set this permission by doing the following:
