Table of Contents
Advertisement
Assigning Class of Service
To prevent users from removing the
depending upon the type of role being used.
Managed roles. For entries that are members of a managed role, use the following
ACI to prevent users from unlocking themselves by removing the appropriate
nsRoleDN
aci: (targetattr="nsRoleDN")
add=nsRoleDN:(!(nsRoleDN=cn=AdministratorRole,dc=example,dc=com))
,
del=nsRoleDN:(!(nsRoleDN=cn=nsManagedDisabledRole,dc=example,dc=c
om))")
(version3.0;aci "allow mod of nsRoleDN by self
Filtered roles. The attributes that are part of the filter should be protected so that
the user cannot relinquish the filtered role by modifying an attribute. The user
should not be allowed to add, delete, and modify the attribute used by the filtered
role. If the value of the filter attribute is computed, then all attributes that can
modify the value of the filter attribute should be protected in the same way.
Nested roles. A nested role is comprised of filtered and managed roles, so the
above points should be considered for each of the roles that comprise the nested
role.
For more information about account inactivation, see "Inactivating Users and
Roles," on page 266.
Assigning Class of Service
A class of service (CoS) allows you to share attributes between entries in a way that
is transparent to applications. CoS simplifies entry management and reduces
storage requirements.
There are two methods for creating and managing CoS, using the Directory Server
Console or through the command line. The following sections describe CoS in
more detail and provide the procedures for managing CoS through both the
console and the command line:
•
About CoS
170
Netscape Directory Server Administrator's Guide • January 2002
:
(targattrfilters="
but not to critical values";
allow(write)
userdn="ldap:///self";)
attribute, use the following ACIs
nsRoleDN
Advertisement
Table of Contents
