Table of Contents
Advertisement
Creating ACIs Manually
•
By creating a bind rule that matches user input in the bind request with an
attribute value stored in the targeted entry. For more details, see "Defining
Access Based on Value Matching," on page 211.
•
By using the
You can use the
the entry you want to target, and not in any of the entries below your target. For
example, if you want to target
any organizational units (
that contains:
targetattr=ou
A safer method is to use the
attribute value that appears in the entry alone. For example, during the installation
of the directory server, the following ACI is created:
aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0;
acl "Default anonymous access"; allow (read, search)
userdn="ldap:///anyone";)
This ACI can apply only to the
The risk associated with these methods is that your directory tree might change in
the future, and you would have to remember to modify this ACI.
Defining Permissions
Permissions specify the type of access you are allowing or denying. You can either
allow or deny permission to perform specific operations in the directory. The
various operations that can be assigned are known as rights.
There are two parts to setting permissions:
•
Allowing or denying access
•
Assigning rights
Allowing or Denying Access
You can either explicitly allow or deny access permissions to your directory tree.
For more guidelines on when to allow and when to deny access, refer to the
Netscape Directory Server Deployment Guide.
200
Netscape Directory Server Administrator's Guide • January 2002
and
targetattr
targetfilter
keyword to specify an attribute that is only present in
targetattr
ou=people,dc=example,dc=com
) defined below that node you could specify an ACI
ou
targetfilter
o=NetscapeRoot
keywords
, and there aren't
keyword and to explicitly specify an
entry.
Advertisement
Table of Contents
