Assigning Classes Of Service; About Cos - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

To prevent users from removing the nsRoleDN attribute, use the following ACIs depending upon the
type of role being used.
• Managed roles. For entries that are members of a managed role, use the following ACI to prevent
users from unlocking themselves by removing the appropriate nsRoleDN:
aci: (targetattr="nsRoleDN") (targattrfilters= add=nsRoleDN:(!
(nsRoleDN=cn=AdministratorRole,
dc=example,dc=com)), del=nsRoleDN:(!
(nsRoleDN=cn=nsManagedDisabledRole,dc=example,dc=com)))
(version3.0;aci allow mod of nsRoleDN by self but not to critical values; allow(write)
userdn=ldap:///self;)
• Filtered roles. The attributes that are part of the filter should be protected so that the user cannot
relinquish the filtered role by modifying an attribute. The user should not be allowed to add, delete,
or modify the attribute used by the filtered role. If the value of the filter attribute is computed, then all
attributes that can modify the value of the filter attribute should be protected in the same way.
• Nested roles. A nested role is comprised of filtered and managed roles, so the above points should
be considered for each of the roles that comprise the nested role.
For more information about account inactivation, see

5.2. Assigning Classes of Service

A Class of Service definition (CoS) shares attributes between entries in a way that is transparent to
applications. CoS simplifies entry management and reduces storage requirements.
Section 5.2.1, "About CoS"
•
Section 5.2.2, "Managing CoS Using the Console"
•
Section 5.2.3, "Managing CoS from the Command-Line"
•
Section 5.2.4, "Creating Role-Based Attributes"
•
Section 5.2.5, "Access Control and CoS"
•

5.2.1. About CoS

Clients of the Directory Server read the attributes on a user's entry. With CoS, some attribute values
may not be stored with the entry itself. Instead, they are generated by class of service logic as the
entry is sent to the client application.
Each CoS is comprised of the following two types of entry in the directory:
• CoS Definition Entry. The CoS definition entry identifies the type of CoS used. Like the role definition
entry, it inherits from the LDAPsubentry object class. The CoS definition entry is below the branch
at which it is effective.
• Template Entry. The CoS template entry contains a list of the shared attribute values. Changes to
the template entry attribute values are automatically applied to all the entries within the scope of the
CoS. A single CoS might have more than one template entry associated with it.
Assigning Classes of Service
Section 7.2, "Inactivating Users and Roles".
121