Red Hat DIRECTORY SERVER 7.1 - DEPLOYMENT Deployment Manual page 183

• Minimize the number of ACIs in your directory.
• Although Directory Server can evaluate over 50,000 ACIs, it is difficult to
manage a large number of ACI statements. A large number of ACIs makes it
hard for you to determine immediately the directory object available to
particular clients.
• Directory Server minimizes the number of ACIs in the directory by using
macros. Macros are placeholders that are used to represent a DN, or a portion
of a DN, in an ACI. You can use the macro to represent a DN in the target
portion of the ACI or in the bind rule portion, or both. For more information on
macro ACIs, refer to chapter 6, "Managing Access Control," in the Red Hat
Directory Server Administrator's Guide.
• Balance allow and deny permissions.
Although the default rule is to deny access to any user who has not been
specifically granted access, you might find that you can save on the number of
ACIs by using one ACI allowing access close to the root of the tree and a small
number of deny ACIs close to the leaf entries. This scenario can avoid the use
of multiple allow ACIs close to the leaf entries.
• Identify the smallest set of attributes on any given ACI.
This means that if you are allowing or restricting access to a subset of attributes
on an object, determine whether the smallest list is the set of attributes that are
allowed or the set of attributes that are denied. Then express your ACI so that
you are managing the smallest list.
For example, the
to allow a user to update just one or two of these attributes, then write your
ACI so that it allows write access for just those few attributes. If, however, you
want to allow a user to update all but one or two attributes, then create the ACI
so that it allows write access for everything but a few named attributes.
• Use LDAP search filters cautiously.
Because search filters do not directly name the object that you are managing
access for, their use can result in unexpected surprises, especially as your
directory becomes more complex. If you are using search filters in ACIs, run an
operation using the same filter to make sure you know what the
ldapsearch
results of the changes mean to your directory.
• Do not duplicate ACIs in differing parts of your directory tree.
object class contains dozens of attributes. If you want
person
Designing Access Control
Chapter 8 Designing a Secure Directory 183