Access Control And Replication; Logging Access Control Information - Netscape DIRECTORY SERVER 6.02 - ADMINISTRATOR Administrator's Manual

Access Control and Replication

In order to evaluate the
stored in the targeted entry, and uses the value of this attribute to expand the
macro. Therefore, in the example, the
roledn = "ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,
dc=example,dc=com"
The Directory Server then evaluates the ACI according to the normal ACI
evaluation algorithm.
When an attribute is multi-valued, each value is used to expand the macro, and the
first one that provides a successful match is used.
Consider this example:
dn: cn=Jane Doe,ou=People,dc=HostedCompany1,dc=example,dc=com
cn: Jane Doe
sn: Doe
ou: Engineering, dc=HostedCompany1, dc=example,dc=com
ou: People, dc=HostedCompany1,dc=example,dc=com
...
In this case, when the Directory Server evaluates the ACI it performs a logical OR
on the following expanded expressions:
roledn = "ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,
dc=example,dc=com"
roledn = "ldap:///cn=DomainAdmins,ou=People,dc=HostedCompany1,
dc=example,dc=com"
Access Control and Replication
ACIs are stored as attributes of entries, therefore, if an entry containing ACIs is part
of a replicated database, the ACIs are replicated like any other attribute.
ACIs are always evaluated on the Directory Server that services the incoming
LDAP requests. This means that when a consumer server receives an update
request, it will return a referral to the master server before evaluating whether the
request can be serviced or not on the master.

Logging Access Control Information

To obtain information on access control in the error logs, you must set the
appropriate log level.
256 Netscape Directory Server Administrator's Guide • May 2002
part of the ACI, the server looks at the
roledn
roledn
is expanded as follows:
attribute
ou