Grant
authenticated users the capability to read the cn
attribute with the following:
access to attrs=cn by users read
Grant a single, specified user the capability to write to all
posixAccount
entries below the
ou=people
container with the following. This does
not include permission to add new entries directly below
ou=people
.
access to dn.children="ou=people,dc=plainjoe,dc=org" filter=(objectclass=posixAccount) by dn="uid=admin,ou=people,dc=plainjoe,dc=org" write
Grant everyone the capability to attempt to authenticate against an entry’s password with the following. The owner of the entry should also be given read and write access.
access to attrs=userPassword by * +x continue by self +rw
Restrict access to the administration organizational unit to members
of the admin groupOfNames
object with the
following:
access to dn.subtree="ou=administration,dc=plainjoe,dc=org" by group/groupOfNames/member= "cn=admin,ou=group,dc=plainjoe,dc=org" write by * none