Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual page 152

Hide thumbs Also See for DIRECTORY SERVER 8.1 - DEPLOYMENT:
Table of Contents

Advertisement

Chapter 9. Directory Design Examples
Figure 9.5. Supplier and Consumer Architecture for Example Corp.
9.1.6. Local Enterprise Security Design
Example Corp. decides on the following security design to protect its directory data:
• They create an ACI that allows employees to modify their own entries.
Users can modify all attributes except the uid, manager and department attributes.
• To protect the privacy of employee data, they create an ACI that allows only the employee and their
manager to see the employee's home address and phone number.
• They create an ACI at the root of the directory tree that allows the two administrator groups the
appropriate directory permissions.
The directory administrators group needs full access to the directory. The messaging administrators
group needs write and delete access to the mailRecipient and mailGroup object classes and
the attributes contained on those object classes, as well as the mail attribute. Example Corp. also
grants the messaging administrators group write, delete, and add permissions to the group
subdirectory for creation of mail groups.
• They create a general ACI at the root of the directory tree that allows anonymous access for read,
search, and compare access.
This ACI denies anonymous write access to password information.
• To protect the server from denial of service attacks and inappropriate use, they set resource limits
based on the DN used by directory clients to bind.
Example Corp. allows anonymous users to receive 100 entries at a time in response to search
requests, messaging administrative users to receive 1,000 entries, and directory administrators to
receive an unlimited number of entries.
142

Advertisement

Table of Contents
loading

Table of Contents