Previous Topic: set prune-oc-parents Command

Next Topic: set query-log-show-eis Command—Show or Hide eis Information in Query log

set public-user Command—Configure Anonymous User Access Level Rights

A public user is a user who is anonymous, so the set of "Public users" consists of all users who have not been authenticated.

This command grants specified access rights at the public user access level, to all users, over a specified scope.

Any access that is granted by this command applies to public users, and by extension to all users. That is, a user who is authenticated can do anything that a public user can do.

Access rights granted at this access level can be taken away by access control rules defined at the protected items access level.

Access control rules are effective only if you enable access controls. If access controls are not enabled, then public users have full permission over the whole directory.

This command has the following format:

set public-user [tag] = { 
scope
[attrs	= attribute-list]
[perms	= permission-list]
[validity	= [start hhmm end hhmm] [on day]]
};
tag

(Optional) Defines a name for this rule.

scope

Defines the area of the DIT that this rule gives access to, where scope is one of the following:

entry = DN

Specifies the entry that this rule grants access to.

subtree = DN

Specifies the subtree that this rule grants access to.

attrs = attribute-list

(Optional) Defines the attributes or attribute set to which this rule applies, where attribute-list is a comma-separated list of attribute names.

If attrs is not specified, then the access rule applies to the whole entry. add and remove permissions require that attrs is not specified.

perms = permission-list

(Optional) Specifies the permissions (access rights) that this rule grants to public users for the scope.

If perms is not specified, then read access permission is granted.

permission-list is a comma-separated list of one or more of the following:

all

Specifies that public users have all available permissions over the scope. This option implies all of the permissions listed below.

read

Specifies that public users can read the information defined in the scope.

add

Specifies that public users can add to the information defined in the scope. This also grants read permission.

remove

Specifies that public users can delete entries defined in the scope. This also grants read permission.

modify

Specifies that public users can change information defined in the scope. This also grants read permission.

rename

Specifies that public users can rename the entries defined in the scope. This also grants read permission.

validity = [start hhmm end hhmm] [on day]

(Optional) Defines the period during which this rule is valid. Use any of the following:

start hhmm end hhmm

Defines the start and end of the period during which this rule is valid.

on day

Defines the day on which this rule is valid, where day is a string like 12345 or 67 (1 is Monday).

Example: Let Anonymous Users Read Attributes in a Subtree

In the following example, all users can view the name, telephone number, and X.400 mail addresses in the Phone List subtree:

set public-user public-attr" = {
 subtree	= <c AU"><o Democorp"><ou Phone List">
 attrs	= telephoneNumber, commonName, surname, mhsORAddresses
};

Example: Give Public-User Privileges to Members of a Role

In the following example, all users in the role cell-research have read privileges on the directory R&D subtree:

set public-user cell-research" = {
 role = <c AU"><o Democorp"><ou roles"><cn cell-research">
 subtree = <c AU"><o Democorp"><ou R&D">
};