Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual page 181

For example, user A possesses the managed role, MR. The MR role has been locked
using account inactivation through the command-line. This means that user A
cannot bind to the server because the
for that user. However, suppose the user was already bound and noticed that
true
he is now locked through the MR role. If there are no ACIs preventing him, the
user can remove the
nsRoleDN
To prevent users from removing the
depending upon the type of role being used.
• Managed roles. For entries that are members of a managed role, use the
following ACI to prevent users from unlocking themselves by removing the
appropriate
nsRoleDN
aci: (targetattr="nsRoleDN")
(targattrfilters="
add=nsRoleDN:(!(nsRoleDN=cn=AdministratorRole,dc=example,dc
=com)),
del=nsRoleDN:(!(nsRoleDN=cn=nsManagedDisabledRole,dc=exampl
e,dc=com))")
(version3.0;aci "allow mod of nsRoleDN by self
but not to critical values";
allow(write)
userdn="ldap:///self";)
• Filtered roles. The attributes that are part of the filter should be protected so
that the user cannot relinquish the filtered role by modifying an attribute. The
user should not be allowed to add, delete, or modify the attribute used by the
filtered role. If the value of the filter attribute is computed, then all attributes
that can modify the value of the filter attribute should be protected in the same
way.
• Nested roles. A nested role is comprised of filtered and managed roles, so the
above points should be considered for each of the roles that comprise the
nested role.
For more information about account inactivation, see "Inactivating Users and
Roles," on page 296.
nsAccountLock
attribute from his entry and unlock himself.
nsRoleDN
:
attribute is computed as
attribute, use the following ACIs
Chapter 5 Advanced Entry Management
Using Roles
181