From 8cdc38581b5e63c99415ad8bc92a01544c5c378e Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Tue, 17 Jul 2012 16:19:17 +0000
Subject: [PATCH] Fix for OPENDJ-536: documentation about how 'anonymous access' can be disabled is missing

---
 opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml |   69 ++++++++++++++++++++++++++++++++++
 1 files changed, 69 insertions(+), 0 deletions(-)

diff --git a/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml b/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml
index 212fca3..be24d41 100644
--- a/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml
+++ b/opendj3/src/main/docbkx/admin-guide/chap-privileges-acis.xml
@@ -923,6 +923,75 @@
  </programlisting>
   </example>
 
+  <example xml:id="access-control-disable-anonymous"><?dbfo keep-together="auto"?>
+   <title>ACI: Disable Anonymous Access</title>
+   <indexterm>
+    <primary>Access control</primary>
+    <secondary>Disabling anonymous access</secondary>
+   </indexterm>
+
+   <para>By default OpenDJ denies access unless an access control explicitly
+   allows access.<footnote><para>This does not apply to the directory root
+   user, such as <literal>cn=Directory Manager</literal>, who bypasses
+   ACIs.</para></footnote> However, OpenDJ also allows anonymous access by
+   default to use some controls, to perform certain extended operations, to
+   view root DSE operational attributes, to view directory schema definitions,
+   to view some other operational attibutes, and to perform compare and search
+   operations.</para>
+
+   <para>These default capabilities are defined on the
+   <literal>global-aci</literal> property of the access control handler, which
+   you can read by using the
+   <command>dsconfig get-access-control-handler-prop</command> command.</para>
+
+   <screen>$ dsconfig
+ get-access-control-handler-prop
+ --port 4444
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword password
+ --property global-aci</screen>
+
+   <para>To disable anonymous read access for example, use the
+   <command>dsconfig set-access-control-handler-prop</command> command. The
+   <literal>global-aci</literal> attribute value should all be on one
+   line.</para>
+
+   <screen>dsconfig
+ set-access-control-handler-prop
+ --remove global-aci:\(targetattr!=\"userPassword\|\|authPassword\|\|changes\|
+  \|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|
+  \|newSuperior\|\|deleteOldRDN\|\|targetEntryUUID\|\|changeInitiatorsName\|
+  \|changeLogCookie\|\|includedAttributes\"\)\(version\ 3.0\;\ acl\ \"Anonymous
+  \ read\ access\"\;\ allow\ \(read,search,compare\)
+  \ userdn=\"ldap:///anyone\"\;\)
+ --hostname opendj.example.com
+ --port 4444
+ --bindDN cn=Directory\ Manager
+ --bindPassword password
+ --trustAll
+ --no-prompt</screen>
+
+   <para>If the <literal>global-aci</literal> does not match the ACI exactly
+   then the command fails to remove the value. An alternative approach is to
+   use the <command>dsconfig</command> command interactively, adding the
+   <option>--commandFilePath</option> option. You can then use the command
+   you capture to remove the property value on other servers for example.
+   To use the <command>dsconfig</command> command this way, start the
+   command as follows.</para>
+
+   <screen>$ dsconfig
+ --port 4444
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword password
+ --commandFilePath /tmp/captured-command.sh</screen>
+
+   <para>Notice that this change is made to the OpenDJ directory server
+   configuration, and so is not replicated to other servers. You must
+   instead apply the change separately to each server.</para>
+  </example>
+
   <example xml:id="access-control-full-access">
    <title>ACI: Full Access for Administrators</title>
    

--
Gitblit v1.10.0