Table of Contents
Advertisement
Designing Access Control
This means that if you are allowing or restricting access to a subset of
attributes on an object, determine whether the smallest list is the set of
attributes that are allowed or the set of attributes that are denied. Then
express your ACI so that you are managing the smallest list.
For example, the people object class contains dozens of attributes. If you
want to allow a user to update just one or two of these attributes, then write
your ACI so that it allows write access for just those few attributes. If,
however, you want to allow a user to update all but one or two attributes,
then create the ACI so that it allows write access for everything but a few
named attributes.
•
Use LDAP search filters cautiously.
Because search filters do not directly name the object that you are managing
access for, their use can result in unexpected surprises, especially as your
directory becomes more complex. If you are using search filters in ACIs, run
an
the results of the changes mean to your directory.
•
Do not duplicate ACIs in differing parts of your directory tree.
Watch out for overlapping ACIs. For example, if you have an ACI at your
directory root point that allows a group write access to the
givenName
access for just the
so that only one control grants the write access for the group.
As your directory grows more complicated, it becomes increasingly easy to
accidentally overlap ACIs in this manner. By avoiding ACI overlap, you
make your security management easier while potentially reducing the total
number of ACIs contained in your directory.
•
Name your ACIs.
While naming ACIs is optional, giving each ACI a short, meaningful name
helps you to manage your security model, especially when examining your
ACIs from the Directory console.
•
Group your ACIs as closely together as possible within your directory.
Try to limit ACI placement to your directory root point and to major
directory branch points. Grouping ACIs helps you manage your total list of
ACIs, as well as helps you keep the total number of ACIs in your directory
to a minimum.
•
Avoid using double negatives, such as deny write if the bind DN is not
equal to
162
Netscape Directory Server Deployment Guide • December 2003
operation using the same filter to make sure you know what
ldapsearch
attributes and another ACI that allows the same group write
commonName
.
cn=Joe
attribute, then consider reworking your ACIs
and
commonName
Advertisement
Table of Contents
Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.2 - DEPLOYMENT
Related Products for Netscape NETSCAPE DIRECTORY SERVER 6.2 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 6.01 - ADMINISTRATOR
- Netscape NETSCAPE DIRECTORY SERVER 6.01 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 6.02 - ADMINISTRATOR
- Netscape NETSCAPE DIRECTORY SERVER 6.02 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR
- Netscape NETSCAPE DIRECTORY SERVER 6.1 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 6.2 - ADMINISTRATOR
- Netscape NETSCAPE DIRECTORY SERVER 6.2 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 6.0
- Netscape NETSCAPE DIRECTORY SERVER 6.0 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 6.01 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 6.02 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 7.0 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 7.0 - GATEWAY CUSTOMIZATION
- Netscape ENTERPRISE SERVER 6.0