18.7. Managing ACIs using the command line
This section describes how to manage ACIs using the command line.
Note
Managing Directory Server ACIs is not supported in the web console.
18.7.1. Displaying ACIs
Use the
ldapsearch utility to display ACI using the command line. For example, to display the ACIs set on dc=example,dc=com and sub-entries:
# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -x \
-b "dc=example,dc=com" -s sub '(aci=*)' aci18.7.2. Adding an ACI
Use the
ldapmodify utility to add an ACI. For example:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (targetattr="userPassword") (version 3.0; acl "Allow users updating their password"; allow (write) userdn= "ldap:///self";)
18.7.3. Deleting an ACI
To delete an ACI using the command line:
- Display the ACIs set on the entry. See Section 18.7.1, “Displaying ACIs”.
- Delete the ACI:
- If only one
aciattribute is set on the entry or you want to remove all ACIs from the entry:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: ou=People,dc=example,dc=com changetype: delete delete: aci
- If multiple ACIs exist on the entry and you want to delete a specific ACI, specify the exact ACI:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: ou=People,dc=example,dc=com changetype: modify delete: aci aci: (targetattr="userPassword") (version 3.0; acl "Allow users updating their password"; allow (write) userdn= "ldap:///self";)
For further details about deleting attributes, see Section 3.1.4.3, “Deleting Attributes from an Entry”.
18.7.4. Updating an ACI
To update an ACI using the command line:
- Delete the existing ACI. See Section 18.7.3, “Deleting an ACI”.
- Add a new ACI with the updated settings. See Section 18.7.2, “Adding an ACI”.
