1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
| version: 1
|
| dn: dc=domain,dc=example,dc=com
| objectclass: top
| objectclass: domain
| administrativeRole: accessControlSpecificArea
| dc: domain
|
| dn: cn=domainAuthenticationRequirementsACISubentry,dc=domain,dc=example,dc=com
| objectClass: accessControlSubentry
| objectClass: subentry
| objectClass: top
| subtreeSpecification: { }
| prescriptiveACI: { identificationTag "subtreeFullAccessACI", precedence 11, authenticationLevel simple, itemOrUserFirst userFirst: { userClasses { name { "uid=application,ou=bind,dc=domain,dc=example,dc=com" } }, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials { grantCompare, grantBrowse, grantRename, grantRemove, grantAdd, grantRead, grantFilterMatch, grantReturnDN, grantModify } } } } }
| prescriptiveACI: { identificationTag "allUsersACI", precedence 9, authenticationLevel none, itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { { protectedItems { attributeType { userPassword } }, grantsAndDenials { denyRead, denyFilterMatch, denyCompare } }, { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials { grantCompare, grantBrowse,grantDiscloseOnError, grantRead, grantFilterMatch, grantReturnDN } } } } }
| cn: domainAuthenticationRequirementsACISubentry
|
| dn: ou=groups,dc=domain,dc=example,dc=com
| objectClass: top
| objectClass: organizationalUnit
| ou: groups
|
| dn: ou=users,dc=domain,dc=example,dc=com
| objectClass: top
| objectClass: organizationalUnit
| ou: users
|
| dn: ou=bind,dc=domain,dc=example,dc=com
| objectClass: top
| objectClass: organizationalUnit
| ou: bind
|
| dn: uid=admin,ou=users,dc=domain,dc=example,dc=com
| objectClass: top
| objectClass: inetOrgPerson
| objectClass: person
| objectClass: organizationalPerson
| cn: system administrator
| sn: administrator
| displayName: Directory Superuser
| uid: admin
| userPassword: admin-secret
|
| dn: cn=login,ou=groups,dc=domain,dc=example,dc=com
| objectClass: top
| objectClass: groupOfUniqueNames
| cn: login
| uniqueMember: uid=admin,ou=users,dc=domain,dc=example,dc=com
|
| dn: cn=admins,ou=groups,dc=domain,dc=example,dc=com
| objectClass: top
| objectClass: groupOfUniqueNames
| cn: admins
| uniqueMember: uid=admin,ou=users,dc=domain,dc=example,dc=com
|
| dn: uid=application,ou=bind,dc=domain,dc=example,dc=com
| objectClass: top
| objectClass: inetOrgPerson
| objectClass: person
| objectClass: organizationalPerson
| cn: application bind user
| sn: administrator
| displayName: Application User
| uid: application
| userPassword: app-secret
|
|
