Managing Access Control; Access Control Principles; Aci Structure; Aci Placement - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

Chapter 6.

Managing Access Control

Red Hat Directory Server allows you to control access to your directory. This chapter describes the
how to implement access control. To take full advantage of the power and flexibility of access control,
while you are in the planning phase for your directory deployment, define an access control strategy
as an integral part of your overall security policy.

6.1. Access Control Principles

The mechanism which defines user access is called access control. When the server receives
a request, it uses the authentication information provided by the user in the bind operation and
the access control instructions (ACIs) defined in the server to allow or deny access to directory
information. The server can allow or deny permissions for actions on entries like read, write, search,
and compare. The permission level granted to a user may depend on the authentication information
provided.
Access control in Directory Server is flexible enough to provide very precise rules on when the ACIs
are applicable:
• For the entire directory, a subtree of the directory, specific entries in the directory (including entries
defining configuration tasks), or a specific set of entry attributes.
• For a specific user, all users belonging to a specific group or role, or all users of the directory.
• For a specific location such as an IP address or a DNS name.

6.1.1. ACI Structure

Access control instructions are stored in the directory as attributes of entries. The aci attribute is an
operational attribute; it is available for use on every entry in the directory, regardless of whether it is
defined for the object class of the entry. It is used by the Directory Server to evaluate what rights are
granted or denied when it receives an LDAP request from a client. The aci attribute is returned in an
ldapsearch operation if specifically requested.
The three main parts of an ACI statement are:
• Target
• Permission
• Bind Rule
The permission and bind rule portions of the ACI are set as a pair, also called an access control rule
(ACR). The specified permission is granted or denied depending on whether the accompanying rule is
evaluated to be true.

6.1.2. ACI Placement

If an entry containing an ACI does not have any child entries, the ACI applies to that entry only.
If the entry has child entries, the ACI applies to the entry itself and all entries below it. As a direct
consequence, when the server evaluates access permissions to any given entry, it verifies the ACIs for
every entry between the one requested and the directory suffix, as well as the ACIs on the entry itself.
143