Table of Contents
Advertisement
Be wary of using
when specifying an attribute you want to deny. ACLs are
!=
logically ORed, which means that if you created two ACLs
acl1: ( target=...)( targetattr!=a )(version 3.0; acl
"name";allow (...)..
acl2: ( target=...)( targetattr!=b )(version 3.0; acl
"name";allow (...)..
the result would be to allow all values of the target attribute. The first ACL (
will allow
and the second ACL (
b
will be the same as the one resulting from using an ACL of the form:
acl3: ( targetattr="*" ) allow (...) ...
Notice that nothing is denied. This could give rise to security problems.
When you want to deny access to a particular attribute, use
clause rather than using
usages such as these are recommended:
acl1: ( target=...)( targetattr=a )(version 3.0; acl "name";deny
(...)..
acl2: ( target=...)( targetattr=b )(version 3.0; acl "name";deny
(...)..
Targeting a Directory Entry
To target a directory entry (and the entries below it), you must use the
keyword.
The
keyword can accept a value of the following format:
target
target="ldap:///distinguished_name"
This identifies the distinguished name of the entry to which the access control rule
applies. For example:
(target = "ldap:///uid=bjensen,dc=example,dc=com")
NOTE
If the DN of the entry to which the access control rule applies
contains a comma, you must escape the comma with a single
backslash (\). For example:
(target="ldap:///uid=lfuentes,dc=example.com
Bolivia\,S.A.")
) will allow
acl2
with
allow
( targetattr != value )
Creating ACIs Manually
. The result of these two ACLs
a
in the permissions
deny
. For example,
target
Chapter 6
Managing Access Control
)
acl1
209
Advertisement
Table of Contents
Troubleshooting
