About The Aci Format - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

Chapter 8. Designing a Secure Directory
In addition, permissions can be set for a specific user, for all users belonging to a specific group, or for
all users of the directory. Lastly, access can be defined for a network location such as an IP address or
a DNS name.

8.7.1. About the ACI Format

When designing the security policy, it is helpful to understand how ACIs are represented in the
directory. It is also helpful to understand what permissions can be set in the directory. This section
gives a brief overview of the ACI mechanism. For a complete description of the ACI format, refer to the
Red Hat Directory Server Administrator's Guide.
Directory ACIs use the following general form: target permission bind_rule
The ACI variables are defined below:
• target. Specifies the entry (usually a subtree) that the ACI targets, the attribute it targets, or both.
The target identifies the directory element that the ACI applies to. An ACI can target only one
entry, but it can target multiple attributes. In addition, the target can contain an LDAP search filter.
Permissions can be set for widely scattered entries that contain common attribute values.
• permission. Identifies the actual permission being set by this ACI. The permission variable states
that the ACI is allowing or denying a specific type of directory access, such as read or search, to the
specified target.
• bind rule. Identifies the bind DN or network location to which the permission applies. The bind
rule may also specify an LDAP filter, and if that filter is evaluated to be true for the binding client
application, then the ACI applies to the client application.
ACIs can therefore be expressed as follows: "For the directory object target, allow or deny permission
if bind_rule is true."
permission and bind_rule are set as a pair, and there can be multiple permission-bind_rule pairs for
every target. Multiple access controls can be effectively set for any given target. For example:
target (permission bind_rule)(permission bind_rule)...
A permission can be set to allow anyone binding as Babs Jensen to write to Babs Jensen's telephone
number. The bind rule in this permission is the part that states "if you bind as Babs Jensen." The target
is Babs Jensen's phone number, and the permission is write access.
8.7.1.1. Targets
Decide which entry is targeted by every ACI created in the directory. Targeting a directory branch point
entry includes that branch point and all of its child entries in the scope of the permission. If a target
entry is not explicitly defined for the ACI, then the ACI is targeted to the directory entry that contains
the ACI statement. Further, the default set of attributes targeted by the ACI is any attribute available in
the targeted entry's object class structure.
For every ACI, only one entry or only those entries that match a single LDAP search filter can be
targeted.
In addition to targeting entries, it is possible to target attributes on the entry; this applies the
permission to only a subset of attribute values. Target sets of attributes by explicitly naming those
126