Thanks Rich! I just looked in /usr/share/dirsrv/data, and the file "template.ldif" looks like what I get for the ldapquery of acis in dc=hymesruzicka, dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ). I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may be useful as a model to make more of the correct acis. Is this a good idea? How much more should I modify it? /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl # BEGIN COPYRIGHT BLOCK ... # END COPYRIGHT BLOCK dn: %ds_suffix% changetype: modify add: aci aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=%as_uid%,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";) Thanks again! ************************************************ ************************************************ ************************************************ for bind in config schema monitor ; do ldapsearch -x -D "cn=directory manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: aci=* # requesting: aci # # config dn: cn=config aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=Ne tscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) # SNMP, config dn: cn=SNMP,cn=config aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);) # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read , search, compare, proxy ) userdn = "ldap:///all";;) # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3 # extended LDIF # # LDAPv3 # base <cn=schema> with scope subtree # filter: aci=* # requesting: aci # # schema dn: cn=schema aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl "anonymo us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";;) aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=Net scapeRoot";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 # extended LDIF # # LDAPv3 # base <cn=monitor> with scope subtree # filter: aci=* # requesting: aci # # monitor dn: cn=monitor aci: (target ="ldap:///cn=monitor*";)(targetattr != "aci || connection")(versio n 3.0; acl "monitor"; allow( read, search, compare ) userdn = "ldap:///anyone ";) # search result search: 2 result: 0 Success
