DSEE access control for auditors

Just a quick example. For DSEE. This will give a group (let’s call them “auditors”) full rights to view everything on the directory — except for user passwords.

Do something like this:

dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr != "userpassword")(target = "ldap:///dc=example,dc=com")
 (version 3.0; acl "Auditors access to root "; allow (read,compare,search)
 (groupdn = "ldap:///cn=Auditors,ou=Groups,dc=example,dc=com");)

Members of the “cn=Auditors” group will have the right to read every attribute value on the directory, except for userpasswords.

Note: Remember, LDIF breaks “officially” at 80 characters, line continuation is indicated by indenting the next line by one space — but you can break before or after 80 lines regardless. Indenting the next line will always be treated as a continuation of the previous line. I’ve broken the lines above a bit shorter than usual for readability. Also note that aci is a multi-valued attribute, importing this as an add will append any existing list. If you were to do a replace any existing acis would be wiped out. Take care with deletes! My practice is usually to re-apply (replace) the entire list of acis at once to avoid mistakes. One good after effect of that is a text document with all my acis that I can use to update cvs. You are keeping a running record of your configurations in a source control system, aren’t you?