Table of Contents
Advertisement
Creating ACIs Manually
Targeting a Single Directory Entry
Targeting a single directory entry is not straightforward because it goes against the
design philosophy of the access control mechanism. However, it can be done:
•
By creating a bind rule that matches user input in the bind request with an
attribute value stored in the targeted entry. For more details, see "Defining
Access Based on Value Matching," on page 213.
•
By using the
You can use the
the entry you want to target, and not in any of the entries below your target. For
example, if you want to target
any organizational units (
that contains:
targetattr=ou
A safer method is to use the
attribute value that appears in the entry alone. For example, during the installation
of the Directory Server, the following ACI is created:
aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0;
acl "Default anonymous access"; allow (read, search)
userdn="ldap:///anyone";)
This ACI can apply only to the
The risk associated with these methods is that your directory tree might change in
the future, and you would have to remember to modify this ACI.
Defining Permissions
Permissions specify the type of access you are allowing or denying. You can either
allow or deny permission to perform specific operations in the directory. The
various operations that can be assigned are known as rights.
There are two parts to setting permissions:
•
Allowing or denying access
•
Assigning rights
202
Netscape Directory Server Administrator's Guide • May 2002
and
targetattr
targetfilter
keyword to specify an attribute that is only present in
targetattr
ou=people,dc=example,dc=com
) defined below that node you could specify an ACI
ou
targetfilter
o=NetscapeRoot
keywords
, and there aren't
keyword and to explicitly specify an
entry.
Advertisement
Table of Contents
