Permissions Syntax; Access Control And The Modrdn Operation - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual
Hide thumbs
Also See for DIRECTORY SERVER 8.0 - ADMINISTRATION:
- Installation manual (128 pages) ,
- Command reference manual (278 pages)
Table of Contents
Advertisement
• Grant write permission on the attribute type used in the new RDN.
• Grant write permission on the attribute type used in the old RDN, if you want to grant the right to
delete the old RDN.
• Grant write permission on the value of attribute type used in the new RDN. This right is granted by
default but could be restricted using the targattrfilters keyword.
• Comparing the value of an attribute:
• Grant compare permission on the attribute type.
• Searching for entries:
• Grant search permission on each attribute type used in the search filter.
• Grant read permission on attribute types used in the entry.
The permissions granted on individual attributes or entries can affect a broad range of actions; for
example, there are several different permissions users must have to search the directory like the
following ldapsearch operation:
ldapsearch -h host -s base -b "uid=bkolics,dc=example,dc=com" objectclass=* mail
The following ACI is used to determine whether user bkolics can be granted access:
aci: (targetattr = "mail")(version 3.0; acl "self access to
mail"; allow (read, search) userdn = "ldap:///self";)
The search result list is empty because this ACI does not grant access to the objectclass attribute.
If you want the search operation described above to be successful, modify the ACI to allow read and
search access for the mail and objectclass attributes.
aci: (targetattr = "mail || objectclass")(version 3.0; acl "self
access to mail"; allow (read, search) userdn = "ldap:///self";)
6.3.3.4. Permissions Syntax
In an ACI statement, the syntax for permissions is allow|deny (rights). rights is a list of 1 to 8
comma-separated keywords enclosed within parentheses. Valid keywords are read, write, add,
delete, search, compare, selfwrite, proxy, or all.
In the following example, read, search, and compare access is allowed, provided the bind rule is
evaluated to be true:
aci: (target="ldap:///dc=example,dc=com") (version 3.0;acl "example";
allow (read, search, compare) bind_rule;)
6.3.3.5. Access Control and the modrdn Operation
To explicitly deny modrdn rights using ACIs, target the relevant entries but omit the targetattr
keyword. For example, to prevent the cn=helpDeskGroup,ou=groups,o=example.com group
Defining Permissions
155
Advertisement
Table of Contents
Troubleshooting
Subscribe to Our Youtube Channel
Related Manuals for Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION
Related Products for Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION
- Red Hat DIRECTORY SERVER 2.0 - GATEWAY
- Red Hat DIRECTORY SERVER 7.1 SP7 - S
- Red Hat DIRECTORY SERVER 8.1 - USING RED HAT CONSOLE 4-28-2008
- Red Hat DIRECTORY SERVER 8.1 - USING THE ADMIN SERVER
- Red Hat Linux Virtual Server
- Red Hat LINUX VIRTUAL SERVER - FOR ENTERPRISE LINUX 5.2 REV 05-2008
- Red Hat LINUX VIRTUAL SERVER 4.5 - ADMINISTRATION
- Red Hat LINUX VIRTUAL SERVER 4.6 - ADMINISTRATION
Need help?
Do you have a question about the DIRECTORY SERVER 8.0 - ADMINISTRATION and is the answer not in the manual?
Questions and answers