Table of Contents
Advertisement
Designing Access Control
Identifies the bind DN or network location to which the permission applies.
The bind rule may also specify an LDAP filter, and if that filter is evaluated to
be true for the binding client application, then the ACI applies to the client
application.
So, ACIs are expressed as follows:
"For the directory object target, allow or deny permission if the
bind_rule is true."
permission
bind_rule
controls for any given target. For example:
target(permission bind_rule)(permission bind_rule)...
For example, you can set a permission that allows anyone binding as Babs Jensen to
write to Babs Jensen's telephone number. The bind rule in this permission is the
part that states "if you bind as Babs Jensen." The target is Babs Jensen's phone
number, and the permission is write access.
Targets
You must decide what entry is targeted by every ACI you create in your directory.
If you target a directory entry that is a directory branch point, then that branch
point, as well as all of its child entries, are included in the scope of the permission.
If you do not explicitly specify a target entry for the ACI, then the ACI is targeted
to the directory entry that contains the ACI statement. Also, the default set of
attributes targeted by the ACI is any attribute available in the targeted entry's
object class structure.
For every ACI, you can target only one entry or only those entries that match a
single LDAP search filter.
In addition to targeting entries, you can also target attributes on the entry. This
allows you to set a permission that applies to only a subset of attribute values. You
can target sets of attributes by explicitly naming those attributes that are targeted,
or by explicitly naming the attributes that are not targeted by the ACI. Use the
latter case if you want to set a permission for all but a few attributes allowed by an
object class structure.
Permissions
You allow or deny permissions. In general, you should avoid denying permissions
for the reasons explained in "Allowing or Denying Access," on page 159.
156
Netscape Directory Server Deployment Guide • December 2003
and
are set as a pair, and you can have multiple
bind_rule
pairs for every target. This allows you to efficiently set multiple access
permission
Advertisement
Table of Contents
Need help?
Do you have a question about the NETSCAPE DIRECTORY SERVER 6.2 - DEPLOYMENT and is the answer not in the manual?
Questions and answers