Access Control Principles; Aci Structure - Netscape DIRECTORY SERVER 6.01 - ADMINISTRATOR Administrator's Manual

Access Control Principles

Access Control Principles
The mechanism by which you define access is called access control. When the server
receives a request, it uses the authentication information provided by the user in
the bind operation, and the access control instructions (ACIs) defined in the server
to allow or deny access to directory information. The server can allow or deny
permissions such as read, write, search, and compare. The permission level granted
to a user may be dependent on the authentication information provided.
Using access control, you can control access to the entire directory, a subtree of the
directory, specific entries in the directory (including entries defining configuration
tasks), or a specific set of entry attributes. You can set permissions for a specific
user, all users belonging to a specific group or role, or all users of the directory.
Finally, you can define access for a specific location such as an IP address or a DNS
name.

ACI Structure

Access control instructions are stored in the directory, as attributes of entries. The
attribute is an operational attribute; it is available for use on every entry in the
aci
directory, regardless of whether it is defined for the object class of the entry. It is
used by the directory server to evaluate what rights are granted or denied when it
receives an LDAP request from a client. The
ldapsearch
The three main parts of an ACI statement are:
• Target
• Permission
• Bind Rule
The permission and bind rule portions of the ACI are set as a pair, also called an
Access Control Rule (ACR). The specified permission is granted or denied
depending on whether the accompanying rule is evaluated to be true.
188 Netscape Directory Server Administrator's Guide • January 2002
operation if specifically requested.
attribute is returned in an
aci