Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual page 142

Chapter 8. Designing a Secure Directory
street attribute were added with read, compare, and search rights, then street: rsc would
appear in the attributeLevelRights results.
It is possible to return rights for attributes which are not normally included in the search results, like
non-existent attributes or operational attributes. Using an asterisk (*) returns the rights for all possible
attributes for an entry, including non-existent attributes.
/usr/lib/mozldap/ldapsearch -J
1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=scarter,ou=people,dc=example,dc=com
"(objectclass=*)" "*"
Using the plus sign (+) returns operational attributes for the entry, which are not normally returned in
an ldapsearch asterisk (*). For example:
/usr/lib/mozldap/ldapsearch -J
1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=scarter,ou=people,dc=example,dc=com
"(objectclass=*)" "+"
The asterisk (*) and the plus sign (+) can be used together to return every attribute for the entry.
Get effective rights for existing attributes are also visible in the Directory Server Console. Open the
Advanced Properties editor for the user entry, and then select the Show effective rights checkbox.
This displays the attribute-level rights (r, s, c, w, o) next to the attributes listed in the main window and
the entry-level rights (v, a, d, n) underneath the entry's DN at the bottom of the window.
For more information about using get effective rights options with ldapsearch, see the
Administrator's Guide.
8.7.4. Using ACIs: Some Hints and Tricks
Keep this tips in mind when implementing the security policy. They can help to lower the administrative
burden of managing the directory security model and improve the directory's performance
characteristics.
• Minimize the number of ACIs in the directory.
Although the Directory Server can evaluate over 50,000 ACIs, it is difficult to manage a large
number of ACI statements. A large number of ACIs makes it hard for human administrators to
immediately determine the directory object available to particular clients.
Directory Server minimizes the number of ACIs in the directory by using macros. Macros are
placeholders that are used to represent a DN, or a portion of a DN, in an ACI. Use the macro
to represent a DN in the target portion of the ACI or in the bind rule portion, or both. For more
information on macro ACIs, refer to the "Managing Access Control" chapter in the Red Hat Directory
Server Administrator's Guide.
• Balance allow and deny permissions.
Although the default rule is to deny access to any user who has not been specifically granted
access, it may be better to reduce the number of ACIs by using one ACI to allow access close to the
root of the tree, and a small number of deny ACIs close to the leaf entries. This scenario can avoid
the use of multiple allow ACIs close to the leaf entries.
132