Access Control And The Modrdn Operation; Bind Rules - Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

aci:
"example"; allow (read, search, compare) bind_rule;)

Access Control and the modrdn Operation

To explicitly deny
but omit the
cn=helpDeskGroup,ou=groups,o=example.com
in the set specified by the pattern
add the following ACI:
aci: (target="ldap:///cn=*,ou=people,o=example.com")
(version 3.0; acl "Deny modrdn rights to the helpDeskGroup";
deny(write)
groupdn="ldap:///cn=helpDeskGroup,ou=groups,o=example.com";)

Bind Rules

Depending on the ACIs defined for the directory, for certain operations, you need
to bind to the directory. Binding means logging in or authenticating yourself to the
directory by providing a bind DN and password, or, if using SSL, a certificate. The
credentials provided in the bind operation and the circumstances of the bind
determine whether access to the directory is allowed or denied.
Every permission set in an ACI has a corresponding bind rule that details the
required credentials and bind parameters.
Bind rules can be simple. For example, a bind rule can simply state that the person
accessing the directory must belong to a specific group. Bind rules can also be more
complex. For example, a bind rule can state that a person must belong to a specific
group and must log in from a machine with a specific IP address, between 8 a.m.
and 5 p.m.
Bind rules define who can access the directory, when, and from where. More
specifically, bind rules can specify:
• Users, groups, and roles that are granted access.
• Location from which an entity must bind.
• Time or day on which binding must occur.
• Type of authentication that must be in use during binding.
(target="ldap:///dc=example,dc=com") (version 3.0;acl
rights using ACIs, you must target the relevant entries
modrdn
keyword. For example, to prevent the
targetattr
group from renaming any entries
cn=*,ou=people,o=example.com
Chapter 6
Bind Rules
, you would
Managing Access Control 219