Setting Permissions; The Precedence Rule; Allowing Or Denying Access - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT:

Configuration manual (314 pages)

Reference (162 pages)

Installation manual (128 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

page of 200

/ 200
Contents
Table of Contents
Bookmarks

Table of Contents

Designing Access Control

•

Parent—If the bind DN is the immediate parent entry, then the bind rule is

true. This allows you to grant specific permissions that, for example, allow a

directory branch point to manage its immediate child entries.

•

Self—If the bind DN is the same as the entry requesting access, then the bind

rule is true. For example, you can grant specific permission that allows

individuals to update their own entries.

•

All—The bind rule is true for anyone who has successfully bound to the

directory.

•

Anyone—The bind rule is true for everyone. This keyword is what allows or

denies anonymous access.

Setting Permissions

By default all users are denied access rights of any kind. The exception to this is the

directory manager. For this reason, you must set some ACIs for your directory if

you want your users to be able to access your directory.

The following sections describe the access control mechanism provided by your

Directory Server. For information about how to set ACIs in your directory, see the

Netscape Directory Server Administrator's Guide.

The Precedence Rule

When a user attempts any kind of access to a directory entry, Directory Server

examines the access control set in the directory. To determine access, Directory

Server applies the Precedence Rule. The rule states that when two conflicting

permissions exist, the permission that denies access always takes precedence over

the permission that grants access.

For example, if you deny write permission at the directory's root level, and you

make that permission applicable to everyone accessing the directory, then no user

can write to the directory regardless of any other permissions that you may allow.

To allow a specific user write permissions to the directory, you have to restrict the

scope of the original deny-for-write so that it does not include that user. Then you

have to create an additional allow-for-write permission for the user in question.

Allowing or Denying Access

You can explicitly allow or deny access to your directory tree. Be careful of

explicitly denying access to the directory. Because of the precedence rule, if the

directory finds rules explicitly forbidding access, the directory will forbid access

regardless of any conflicting permissions that may grant access.

150

Netscape Directory Server Deployment Guide • August 2002

Table of Contents

Need help?

Do you have a question about the NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT and is the answer not in the manual?

Setting Permissions; The Precedence Rule; Allowing Or Denying Access - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

Setting Permissions

The Precedence Rule

Allowing or Denying Access

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT

Related Content for Netscape NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT

Table of Contents