Table of Contents
Advertisement
Bind Rules
This ACI grants managers all rights on the entries of employees that report to
them. However, because access rights are evaluated on the entry being created,
this type of ACI would also allow any employee to create an entry in which the
manager attribute is set to their own DN. For example, disgruntled employee Joe
(
cn=Joe,ou=eng,dc=example,dc=com
Human Resources branch of the tree to use (or misuse) the privileges granted to
Human Resources employees.
He could do this by creating the following entry:
dn: cn= Trojan Horse,ou=Human Resources,dc=example,dc=com
objectclass: top
...
cn: Trojan Horse
manager: cn=Joe,ou=eng,dc=example,dc=com
To avoid this type of security threat, the ACI evaluation process does not grant
add permission at level 0, to the entry itself. You can, however, use the
keyword to grant add rights below existing entries. You must specify the number
of levels below the parent for add rights. For example, the following ACI allows
child entries to be added to any entry in the
manager
aci: (target="ldap:///dc=example,dc=com")(targetattr=*)
(version 3.0; acl "parent-access"; allow (add)
userattr = "parent[0,1].manager#USERDN";)
This ACI ensures that add permission is granted only to users whose bind DN
matches the manager attribute of the parent entry.
Defining Access from a Specific IP Address
Using bind rules, you can indicate that the bind operation must originate from a
specific IP address. This is often used to force all directory updates to occur from a
given machine or network domain.
The LDIF syntax for setting a bind rule based on an IP address is
or
ip != "
The IP address must be expressed in dot notation.You can use the wildcard
character (*) to include multiple machines. For example, the following string is
valid:
ip = "12.123.1.*";
232
Red Hat Directory Server Administrator's Guide • May 2005
attribute that matches the bind DN:
IP_address
.
"
) might want to create an entry in the
dc=example,dc=com
parent
that has a
ip = "IP_address"
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR
Related Products for Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR
- Red Hat DIRECTORY SERVER 8.1 - 11-01-2010
- Red Hat DIRECTORY SERVER 8.1 - USING RED HAT CONSOLE 4-28-2008
- Red Hat DIRECTORY SERVER 8.1 - USING THE ADMIN SERVER
- Red Hat Linux Virtual Server
- Red Hat LINUX VIRTUAL SERVER - FOR ENTERPRISE LINUX 5.2 REV 05-2008
- Red Hat LINUX VIRTUAL SERVER 4.5 - ADMINISTRATION
- Red Hat LINUX VIRTUAL SERVER 4.6 - ADMINISTRATION
- Red Hat LINUX VIRTUAL SERVER 4.7 - ADMINISTRATION
Need help?
Do you have a question about the DIRECTORY SERVER 7.1 - ADMINISTRATOR and is the answer not in the manual?
Questions and answers