Netscape DIRECTORY SERVER 6.02 - DEPLOYMENT Deployment Manual page 141

Directory Server 6.02 provides a new feature that minimizes the number of
ACIs in the directory by using macros. Macros are placeholders that are used
to represent a DN, or a portion of a DN, in an ACI. You can use the macro to
represent a DN in the target portion of the ACI, or in the bind rule portion, or
both. For more information on macro ACIs, refer to "Managing Access
Control" in the Netscape Directory Server Administrator's Guide.
• Balance allow and deny permissions.
Although the default rule is to deny access to any user who has not been
specifically granted access, you might find that you can save on the number of
ACIs by using one ACI allowing access close to the root of the tree, and a small
number of deny ACIs close to the leaf entries. This scenario can avoid the use
of multiple allow ACIs close to the leaf entries.
• Identify the smallest set of attributes on any given ACI.
This means that if you are allowing or restricting access to a subset of attributes
on an object, determine whether the smallest list is the set of attributes that are
allowed or the set of attributes that are denied. Then express your ACI so that
you are managing the smallest list.
For example, the people object class contains dozens of attributes. If you want
to allow a user to update just one or two of these attributes, then write your
ACI so that it allows write access for just those few attributes. If, however, you
want to allow a user to update all but one or two attributes, then create the ACI
so that it allows write access for everything but a few named attributes.
• Use LDAP search filters cautiously.
Because search filters do not directly name the object that you are managing
access for, their use can result in unexpected surprises, especially as your
directory becomes more complex. If you are using search filters in ACIs, run an
operation using the same filter to make sure you know what the
ldapsearch
results of the changes mean to your directory.
• Do not duplicate ACIs in differing parts of your directory tree.
Watch out for overlapping ACIs. For example, if you have an ACI at your
directory root point that allows a group write access to the
attributes and another ACI that allows the same group write access
givenName
for just the
commonName
only one control grants the write access for the group.
attribute, then consider reworking your ACIs so that
Chapter 7
Designing Access Control
and
commonName
Designing a Secure Directory 141