Access control instructions are described in the Admin Guide chapter on privileges and ACIs. There are also a few examples in the section on configuring access control.
Two particular aspects of ACIs are worth looking at closely.
- If you want a user to be able to update all attributes, even operational attributes, then you can so something like
targetattr = "* || +", where the
+stands for all operational attributes.
This was brought home to me by the discussion today on the OpenDJ list about updating
ds-pwp-password-policy-dn, which is operational.
- If you want an administrator to be able to perform all operations, including proxy auth, import, and export operations as well as standard directory operations, then you can use
allow(all, proxy, import, export).
A footnote to all this, which Ludo explained to me this morning:
ds-pwp-password-policy-dn, the operational attribute that you set to assign a user a password policy, was created to allow the
pwdPolicySubentry to remain untouched. If you apply changes directly to
pwdPolicySubentry, then if you see the value
cn=Default Password Policy,cn=Password Policies,cn=config, you have no way of knowing whether it was set by the administrator or the server. With
ds-pwp-password-policy-dn, who set the value stays explicit.