Just a quick example. For DSEE. This will give a group (let’s call them “auditors”) full rights to view everything on the directory — except for user passwords.
Do something like this:
dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr != "userpassword")(target = "ldap:///dc=example,dc=com") (version 3.0; acl "Auditors access to root "; allow (read,compare,search) (groupdn = "ldap:///cn=Auditors,ou=Groups,dc=example,dc=com");)
Members of the “cn=Auditors” group will have the right to read every attribute value on the directory, except for userpasswords.
Note: Remember, LDIF breaks “officially” at 80 characters, line continuation is indicated by indenting the next line by one space — but you can break before or after 80 lines regardless. Indenting the next line will always be treated as a continuation of the previous line. I’ve broken the lines above a bit shorter than usual for readability. Also note that aci is a multi-valued attribute, importing this as an add will append any existing list. If you were to do a replace any existing acis would be wiped out. Take care with deletes! My practice is usually to re-apply (replace) the entire list of acis at once to avoid mistakes. One good after effect of that is a text document with all my acis that I can use to update cvs. You are keeping a running record of your configurations in a source control system, aren’t you?