Rights Required For Ldap Operations - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual
Hide thumbs
Also See for DIRECTORY SERVER 8.0 - ADMINISTRATION:
- Installation manual (128 pages) ,
- Command reference manual (278 pages)
Table of Contents
Advertisement
Chapter 6. Managing Access Control
Right
All
Table 6.2. User Rights
Rights are granted independently of one another. This means, for example, that a user who is granted
add rights can create an entry but cannot delete it if delete rights have not been specifically granted.
Therefore, when planning the access control policy for your directory, you must ensure that you grant
rights in a way that makes sense for users. For example, it does not usually make sense to grant write
permission without granting read and search permissions.
NOTE
The proxy mechanism is very powerful and must be used sparingly. Proxy rights are
granted within the scope of the ACL, and there is no way to restrict who an entry that
has the proxy right can impersonate; that is, when you grant a user proxy rights, that
user has the ability to proxy for any user under the target; there is no way to restrict
the proxy rights to only certain users. For example, if an entity has proxy rights to the
dc=example,dc=com tree, that entity can do anything. Make sure you set the proxy ACI
at the lowest possible level of the DIT; see
Example".
6.3.3.3. Rights Required for LDAP Operations
This section describes the rights you need to grant to users depending on the type of LDAP operation
you want to authorize them to perform.
• Adding an entry:
• Grant add permission on the entry being added.
• Grant write permission on the value of each attribute in the entry. This right is granted by default
but could be restricted using the targattrfilters keyword.
• Deleting an entry:
• Grant delete permission on the entry to be deleted.
• Grant write permission on the value of each attribute in the entry. This right is granted by default
but could be restricted using the targattrfilters keyword.
• Modifying an attribute in an entry:
• Grant write permission on the attribute type.
• Grant write permission on the value of each attribute type. This right is granted by default but
could be restricted using the targattrfilters keyword.
• Modifying the RDN of an entry:
• Grant write permission on the entry.
154
Description
Indicates that the specified DN has all rights
(read, write, search, delete, compare, and
selfwrite) to the targeted entry, excluding
proxy rights.
Section 6.9.11, "Proxied Authorization ACI
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION
Related Products for Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION
- Red Hat DIRECTORY SERVER 2.0 - GATEWAY
- Red Hat DIRECTORY SERVER 7.1 SP7 - S
- Red Hat DIRECTORY SERVER 8.1 - USING RED HAT CONSOLE 4-28-2008
- Red Hat DIRECTORY SERVER 8.1 - USING THE ADMIN SERVER
- Red Hat Linux Virtual Server
- Red Hat LINUX VIRTUAL SERVER - FOR ENTERPRISE LINUX 5.2 REV 05-2008
- Red Hat LINUX VIRTUAL SERVER 4.5 - ADMINISTRATION
- Red Hat LINUX VIRTUAL SERVER 4.6 - ADMINISTRATION
Need help?
Do you have a question about the DIRECTORY SERVER 8.0 - ADMINISTRATION and is the answer not in the manual?
Questions and answers