Table of Contents
Advertisement
Bind Rules
The bind rule usually indicates the bind DN subject to the permission. It can also
specify bind attributes such as time of day or IP address.
Bind rules allow you to easily express that the ACI applies only to a user's own
entry. You can use this to allow users to update their own entries without running
the risk of a user updating another user's entry.
Using bind rules, you can indicate that the ACI is applicable:
•
Only if the bind operation is arriving from a specific IP address or DNS
hostname. This is often used to force all directory updates to occur from a
given machine or network domain.
•
If the person binds anonymously. Setting a permission for anonymous bind
also means that the permission applies to anyone who binds to the directory as
well.
•
For anyone who successfully binds to the directory. This allows general access
while preventing anonymous access.
•
Only if the client has bound as the immediate parent of the entry.
•
Only if the entry that the person has bound as meets a specific LDAP search
criteria.
The following keywords are provided to help you more easily express these kinds
of access:
•
Parent—If the bind DN is the immediate parent entry, then the bind rule is
true. This allows you to grant specific permissions that, for example, allow a
directory branch point to manage its immediate child entries.
•
Self—If the bind DN is the same as the entry requesting access, then the bind
rule is true. For example, you can grant specific permission that allows
individuals to update their own entries.
•
All—The bind rule is true for anyone who has successfully bound to the
directory.
•
Anyone—The bind rule is true for everyone. This keyword is what allows or
denies anonymous access.
Designing Access Control
Chapter 7
Designing a Secure Directory
137
Advertisement
Table of Contents
