Table of Contents
Advertisement
Access Control Usage Examples
dn: dc=example.com Bolivia\, S.A.,dc=com
objectClass: top
objectClass: organization
aci: (target="ldap:///dc=example.com Bolivia\,
S.A.,dc=com")(targetattr=*) (version 3.0; acl "aci 2"; allow (all)
groupdn = "ldap:///cn=Directory Administrators,dc=example.com
Bolivia\, S.A.,dc=com";)
Proxied Authorization ACI Example
For this example, suppose:
•
The client application's bind DN is
ou=Applications,dc=example,dc=com"
•
The targeted subtree to which the client application is requesting access is
ou=Accounting,dc=example,dc=com
•
An Accounting Administrator with access permissions to the
ou=Accounting,dc=example,dc=com
In order for the client application to gain access to the Accounting subtree (using
the same access permissions as the Accounting Administrator):
•
The Accounting Administrator must have access permissions to the
ou=Accounting,dc=example,dc=com
grants all rights to the Accounting Administrator entry:
aci: (target="ldap:///ou=Accounting,dc=example,dc=com")
(targetattr="*") (version 3.0; acl "allowAll-AcctAdmin"; allow (all)
userdn="uid=AcctAdministrator,ou=Administrators,dc=example,dc=com"
)
•
The following ACI granting proxy rights to the client application must exist in
the directory:
aci: (target="ldap:///ou=Accounting,dc=example,dc=com")
(targetattr="*") (version 3.0; acl "allowproxy-accountingsoftware";
allow (proxy)
userdn="uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com"
)
With this ACI in place, the MoneyWizAcctSoftware client application can bind to
the directory and send an LDAP command such as
that requires the access rights of the proxy DN.
248
Netscape Directory Server Administrator's Guide • May 2002
"uid=MoneyWizAcctSoftware,
.
.
subtree exists in the directory.
subtree. For example, the following ACI
ldapsearch
or
ldapmodify
Advertisement
Table of Contents
