From 60467a4df45f5a00aa25330a904f483da9ae6736 Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Tue, 17 Jul 2012 16:48:41 +0000
Subject: [PATCH] Fix for OPENDJ-536: documentation about how 'anonymous access' can be disabled is missing

---
 opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml |   25 +++++++++++++++++++------
 1 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml b/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml
index be24d41..4388b6c 100644
--- a/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml
+++ b/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml
@@ -953,9 +953,11 @@
  --property global-aci</screen>
 
    <para>To disable anonymous read access for example, use the
-   <command>dsconfig set-access-control-handler-prop</command> command. The
-   <literal>global-aci</literal> attribute value should all be on one
-   line.</para>
+   <command>dsconfig set-access-control-handler-prop</command> command.</para>
+
+   <para>First, remove the <literal>global-aci</literal> attribute value that
+   allows anonymous read access. The <literal>global-aci</literal> attribute
+   value should all be on one line.</para>
 
    <screen>dsconfig
  set-access-control-handler-prop
@@ -987,9 +989,20 @@
  --bindPassword password
  --commandFilePath /tmp/captured-command.sh</screen>
 
-   <para>Notice that this change is made to the OpenDJ directory server
-   configuration, and so is not replicated to other servers. You must
-   instead apply the change separately to each server.</para>
+   <para>Next, add a global ACI value that allows authenticated users to
+   perform read operations. You can use <command>dsconfig</command>
+   interactively to add the ACI value as shown below
+   <literal>(targetattr!=...userdn="ldap:///all";)</literal>.</para>
+
+   <programlisting language="ldif">global-aci: (targetattr!="userPassword||
+ authPassword||changes||changeNumber||changeType||changeTime||targetDN||newRDN||
+ newSuperior||deleteOldRDN||targetEntryUUID||changeInitiatorsName||
+ changeLogCookie||includedAttributes")(version 3.0; acl "Authenticated users
+ read access"; allow (read,search,compare) userdn="ldap:///all";)</programlisting>
+
+   <para>Notice that these changes are made to the OpenDJ directory server
+   configuration, and so are not replicated to other servers. You must instead
+   apply the changes separately to each server.</para>
   </example>
 
   <example xml:id="access-control-full-access">

--
Gitblit v1.10.0