Add a global ACI to prevent possible write access to subentries.
| | |
|---|
| | | ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";) |
|---|
| | | ds-cfg-global-aci: (target="ldap:///dc=replicationchanges")(targetattr="*")(version 3.0; acl "Replication backend access"; deny (all) userdn="ldap:///anyone";) |
|---|
| | | ds-cfg-global-aci: (target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; deny (all) userdn="ldap:///anyone";) |
|---|
| | | ds-cfg-global-aci: (targetfilter="(|(objectclass=subentry)(objectclass=ldapsubentry))")(version 3.0; acl "Subentry write access"; deny (add,write,delete) userdn="ldap:///anyone";) |
|---|
| | | cn: Access Control Handler |
|---|
| | | ds-cfg-java-class: org.opends.server.authorization.dseecompat.AciHandler |
|---|
| | | ds-cfg-enabled: true |
|---|
