Using Acis: Some Hints And Tricks - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT:

Configuration manual (314 pages)

Reference (162 pages)

Installation manual (128 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

page of 200

/ 200
Contents
Table of Contents
Bookmarks

Table of Contents

Using ACIs: Some Hints and Tricks

The following are some ideas that you should keep in mind when you implement

your security policy. They can help to lower the administrative burden of

managing your directory security model and improve your directory's

performance characteristics.

Some of the following hints have already been described earlier in this chapter.

They are included here to provide you with a complete list.

•

Minimize the number of ACIs in your directory.

Although Directory Server can evaluate over 50,000 ACIs, it is difficult to

manage a large number of ACI statements. A large number of ACIs makes it

hard for you to determine immediately the directory object available to

particular clients.

Directory Server 6.1 provides a new feature that minimizes the number of ACIs

in the directory by using macros. Macros are placeholders that are used to

represent a DN, or a portion of a DN, in an ACI. You can use the macro to

represent a DN in the target portion of the ACI, or in the bind rule portion, or

both. For more information on macro ACIs, refer to "Managing Access

Control" in the Netscape Directory Server Administrator's Guide.

•

Balance allow and deny permissions.

Although the default rule is to deny access to any user who has not been

specifically granted access, you might find that you can save on the number of

ACIs by using one ACI allowing access close to the root of the tree, and a small

number of deny ACIs close to the leaf entries. This scenario can avoid the use

of multiple allow ACIs close to the leaf entries.

•

Identify the smallest set of attributes on any given ACI.

This means that if you are allowing or restricting access to a subset of attributes

on an object, determine whether the smallest list is the set of attributes that are

allowed or the set of attributes that are denied. Then express your ACI so that

you are managing the smallest list.

For example, the people object class contains dozens of attributes. If you want

to allow a user to update just one or two of these attributes, then write your

ACI so that it allows write access for just those few attributes. If, however, you

want to allow a user to update all but one or two attributes, then create the ACI

so that it allows write access for everything but a few named attributes.

•

Use LDAP search filters cautiously.

Designing Access Control

Chapter 7

Designing a Secure Directory

153

Table of Contents

Need help?

Do you have a question about the NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT and is the answer not in the manual?

Using Acis: Some Hints And Tricks - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

Using ACIs: Some Hints and Tricks

Need help?

Questions and answers

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT

Related Content for Netscape NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT

Table of Contents