Given the following ACIs for an entry:
aclEntry: group:cn=Dept ABC,o=IBM:normal:grant:rsc aclPropagate: true
perform the following change:
dn: cn=some entry changetype: modify replace: aclEntry aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc
The resulting ACI is:
aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc aclPropagate: true
ACI values for Dept ABC are lost through the replace.
Given the following ACIs for an entry:
ibm-filterAclEntry: group:cn=Dept ABC,o=IBM:(cn=Manager ABC):normal
:grant:rsc
ibm-filterAclInherit: true perform the following changes:
dn: cn=some entry
changetype: modify
replace: ibm-filterAclEntry
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:grant:rsc
dn: cn=some entry
changetype: modify
replace: ibm-filterAclInherit
ibm-filterAclInherit: false The resulting ACI is:
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:grant:rsc
ibm-filterAclInherit: false ACI values for Dept ABC are lost through the replace.
aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rscwith a modification:
dn: cn=some entry changetype: modify add: aclEntry aclEntry: group:cn=Dept ABC,o=IBM:at.attribute1:grant:rscwould yield an multi-valued aclEntry of:
aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc aclEntry: group:cn=Dept ABC,o=IBM:at.attribute1:grant:rsc
For example, given the ACI:
Ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:grant:rsc with a modification:
dn: cn=some entry
changetype: modify
add: ibm-filterAclEntry
ibm-filterAclEntry: group:cn=Dept ABC,o=IBM:(cn=Manager ABC)
:at.attribute1:grant:rsc would yield an multi-valued aclEntry of:
Ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:grant:rsc
ibm-filterAclEntry: group:cn=Dept ABC,o=IBM:(cn=Manager ABC):at.attribute1
:grant:rsc
The permissions under the same attribute or attribute class are considered as the basic building blocks and the actions are considered as the qualifiers. If the same permission value is being added more than once, only one value is stored. If the same permission value is being added more than once with different action values, the last action value is used. If the resulting permission field is empty (""), this permission value is set to null and the action value is set to grant
.For example, given the following ACI:
aclEntry: group:cn=Dept XYZ,O=IBM:normal:grant:rsc
with a modification:
dn: cn=some entry
changetype: modify
add: aclEntry
aclEntry: group:cn=Dept XYZ,o=IBM:normal:deny:r:critical:deny::sensitive
:grant:r
yields an aclEntry of:
aclEntry: group:cn=Dept XYZ,O=IBM:normal:grant:sc:normal:deny:r:critical
:grant::sensitive:grant:r
For example, given the following ACI:
Ibm-filterAclEntry: group:cn=Dept XYZ,O=IBM:(cn=Manager XYZ):normal
:grant:rsc with a modification:
dn: cn=some entry
changetype: modify
add: ibm-filterAclEntry
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:deny:r:critical:deny::sensitive:grant:ryields an aclEntry of:
ibm-filterAclEntry: group:cn=Dept XYZ,O=IBM:(cn=Manager XYZ):normal
:grant:sc:normal:deny:r:critical:grant::sensitive
:grant:r
Given an ACI of:
aclEntry: group:cn=Dept XYZ,o=IBM:object:grant:ad aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rwsc dn: cn = some entry changetype: modify delete: aclEntry aclEntry: group:cn=Dept XYZ,o=IBM:object:grant:ad
yields a remaining ACI on the server of :
aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rwsc
Given an ACI of:
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):object
:grant:ad
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:grant:rwsc
dn: cn = some entry
changetype: modify
delete: ibm-filterAclEntry
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):object
:grant:ad yields a remaining ACI on the server of:
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
:grant:rwsc
Deleting an ACI or entryOwner value that does not exist results in an unchanged ACI or entryOwner and a return code specifying that the attribute value does not exist.