1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Server
  5. DIRECTORY SERVER 7.1 - DEPLOYMENT
  6. Deployment manual

Where To Place Access Control Rules; Using Filtered Access Control Rules - Red Hat DIRECTORY SERVER 7.1 - DEPLOYMENT Deployment Manual

Hide thumbs
Table of Contents

Advertisement

Designing Access Control
If you are allowing a person or group of people to manage some part of the
directory tree, but you want to make sure that they do not modify some
aspect of the tree, use an explicit deny. For example, if you want to make sure
the Mail Administrators do not allow write access to the common name
attribute, then set an ACI that explicitly denies write access to the common
name attribute.

Where to Place Access Control Rules

Access control rules can be placed on any entry in the directory. Often,
administrators place access control rules on entries of type
organization
To simplify your ACL administration, group your rules as much as possible. Since
a rule generally applies to its target entry and to all of that entry's children, it is
best to place access control rules on root points in the directory or on directory
branch points, rather than scatter them across individual leaf (such as person)
entries.

Using Filtered Access Control Rules

One of the more powerful features of the Directory Server ACI model is the ability
to use LDAP search filters to set access control. LDAP search filters allow you to
set access to any directory entry that matches a defined set of criteria.
For example, you could allow read access for any entry that contains an
organizationalUnit
Filtered access control rules let you use predefined levels of access. Suppose your
directory contains home address and telephone number information. Some
people want to publish this information, while others want to be "unlisted." You
can handle this situation by doing the following:
Create an attribute on every user's directory entry called
publishHomeContactInfo
Set an access control rule that grants read access to the
homePostalAddress
publishHomeContactInfo
LDAP search filter to express the target for this rule.
Allow your directory users to change the value of their own
publishHomeContactInfo
directory user can decide whether this information is publicly available.
For more information about using LDAP search filters and on using LDAP search
filters with ACIs, see the Red Hat Directory Server Administrator's Guide.
180
Red Hat Directory Server Deployment Guide • May 2005
,
organizationalUnit
attribute that is set to Marketing.
.
attributes only for entries whose
attribute is set to
attribute to either
,
, or
inetOrgPerson
(meaning enabled). Use an
true
or
true
false
,
country
.
group
and
homePhone
. In this way, the

Advertisement

Table of Contents
loading

Related Manuals for Red Hat DIRECTORY SERVER 7.1 - DEPLOYMENT

Related Content for Red Hat DIRECTORY SERVER 7.1 - DEPLOYMENT

This manual is also suitable for:

Directory server 7.1

Table of Contents