Where To Place Access Control Rules; Using Filtered Access Control Rules - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT:

Configuration manual (314 pages)

Reference (162 pages)

Installation manual (128 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

page of 200

/ 200
Contents
Table of Contents
Bookmarks

Table of Contents

Designing Access Control

If you are allowing a person or group of people to manage some part of the

directory tree, but you want to make sure that they do not modify some aspect

of the tree, use an explicit deny. For example, if you want to make sure the Mail

Administrators do not allow write access to the common name attribute, then

set an ACI that explicitly denies write access to the common name attribute.

Where to Place Access Control Rules

Access control rules can be placed on any entry in the directory. Often

administrators place access control rules on entries of type

organization

To simplify your ACL administration, group your rules as much as possible. Since

a rule generally applies to its target entry and to all that entry's children, it is best to

place access control rules on root points in the directory or on directory branch

points, rather than scatter them across individual leaf (such as person) entries.

Using Filtered Access Control Rules

One of the more powerful features of the Directory Server ACI model is the ability

to use LDAP search filters to set access control. LDAP search filters allows you to

set access to any directory entry that matches a defined set of criteria.

For example, you could allow read access for any entry that contains an

organizationalUnit

Filtered access control rules let you use predefine levels of access. For example,

suppose your directory contains home address and telephone number information.

Some people want to publish this information, while others want to be "unlisted."

You can handle this situation by doing the following:

•

Create an attribute on every user's directory entry called

publishHomeContactInfo

•

Set an access control rule that grants read access to the

homePostalAddress

publishHomeContactInfo

LDAP search filter to express the target for this rule.

•

Allow your directory users to change the value of their own

publishHomeContactInfo

directory user can decide whether this information is publicly available.

For more information about using LDAP search filters, and on using LDAP search

filters with ACIs, see the Netscape Directory Server Administrator's Guide.

152

Netscape Directory Server Deployment Guide • August 2002

organizationalUnit

attribute that is set to Marketing.

attributes only for entries whose

attribute is set to TRUE (meaning enabled). Use an

attribute to either TRUE or FALSE. In this way, the

, or

inetOrgPerson

country

group

and

homePhone

Table of Contents

Where To Place Access Control Rules; Using Filtered Access Control Rules - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

Where to Place Access Control Rules

Using Filtered Access Control Rules

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT

Related Content for Netscape NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT

Table of Contents