Denying Access - Netscape DIRECTORY SERVER 6.02 - ADMINISTRATOR Administrator's Manual

On the Times tab, select the block time corresponding to Monday through
7.
Thursday, and 8 am to 6 pm.
A message appears below the table that specifies what time block you have
selected.
To enforce SSL authentication from HostedCompany1 administrators, switch
8.
to manual editing by clicking the Edit Manually button. Add the following to
the end of the LDIF statement:
and (authmethod="ssl")
The LDIF statement should be similar to:
aci: (targetattr = "*")
(target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc=co
m") (version 3.0; acl "HostedCompany1"; allow (all) (roledn=
"ldap:///cn=DirectoryAdmin,ou=HostedCompany1,ou=corporate-client
s, dc=example,dc=com") and (dayofweek="Mon,Tues,Wed,Thu") and
(timeofday >= "0800" and timeofday <= "1800") and
(ip="255.255.123.234") and (authmethod="ssl"); )
Click OK.
9.
The new ACI is added to the ones listed in the Access Control Manager
window.

Denying Access

If your directory holds business-critical information, you might specifically want to
deny access to it.
For example,
example.com
information such as connection time or account balance under their own entries,
but explicitly wants to deny write access to that information. This is illustrated in
ACI "Billing Info Read" and ACI "Billing Info Deny" respectively.
ACI "Billing Info Read"
In LDIF, to grant subscribers permission to read billing information in their own
entry, you would write the following statement:
aci: (targetattr="connectionTime || accountBalance") (version 3.0;
acl "Billing Info Read"; allow (search,read) userdn=
"ldap:///self";)
This example assumes that the relevant attributes have been created in the schema,
and that the ACI is added to the
wants all subscribers to be able to read billing
ou=subscribers,dc=example,dc=com
Access Control Usage Examples
Chapter 6 Managing Access Control
entry.
243