Table of Contents
Advertisement
Access Control Usage Examples
dn: dc=example.com Bolivia\, S.A.,dc=com
objectClass: top
objectClass: organization
aci: (target="ldap:///dc=example.com Bolivia\,
S.A.,dc=com")(targetattr=*) (version 3.0; acl "aci 2"; allow
(all)
groupdn = "ldap:///cn=Directory Administrators,dc=example.com
Bolivia\, S.A.,dc=com";)
Proxied Authorization ACI Example
For this example, suppose:
•
The client application's bind DN is
ou=Applications,dc=example,dc=com"
•
The targeted subtree to which the client application is requesting access is
ou=Accounting,dc=example,dc=com
•
An Accounting Administrator with access permissions to the
ou=Accounting,dc=example,dc=com
In order for the client application to gain access to the Accounting subtree (using
the same access permissions as the Accounting Administrator):
•
The Accounting Administrator must have access permissions to the
ou=Accounting,dc=example,dc=com
ACI grants all rights to the Accounting Administrator entry:
•
The following ACI granting proxy rights to the client application must exist in
the directory:
With this ACI in place, the
the directory and send an LDAP command such as
that requires the access rights of the proxy DN.
262
Red Hat Directory Server Administrator's Guide • May 2005
aci: (target="ldap:///ou=Accounting,dc=example,dc=com")
(targetattr="*") (version 3.0; acl "allowAll-AcctAdmin";
allow (all)
userdn="ldap://uid=AcctAdministrator,ou=Administrators,dc=e
xample,dc=com")
aci: (target="ldap:///ou=Accounting,dc=example,dc=com")
(targetattr="*") (version 3.0; acl
"allowproxy-accountingsoftware"; allow (proxy)
userdn="ldap://uid=MoneyWizAcctSoftware,ou=Applications,dc=e
xample,dc=com")
MoneyWizAcctSoftware
"uid=MoneyWizAcctSoftware,
.
.
subtree exists in the directory.
subtree. For example, the following
client application can bind to
ldapsearch
or
ldapmodify
Advertisement
Table of Contents
Troubleshooting
