Security Design - Netscape DIRECTORY SERVER 6.2 - DEPLOYMENT Deployment Manual

Security Design

International builds upon its previous security design, adding the
example.com
following access controls to support its new multinational intranet:
• adds general ACIs to the root of the intranet, creating more
example.com
restrictive ACIs in each country and the branches beneath each country.
• decides to use macro ACIs to minimize the number of ACIs in
example.com
the directory.
uses a macro to represent a DN in the target or bind rule
example.com
portion of the ACI. When the directory gets an incoming LDAP operation,
the ACI macros are matched against the resource targeted by the LDAP
operation. If there is a match, the macro is replaced by the value of the DN
of the targeted resource.
For more information about macro ACIs, refer to the Netscape Directory
Server Administrator's Guide.
adds the following access controls to support its extranet:
example.com
• decides to use certificate-based authentication for all extranet
example.com
activities. When people log in to the extranet, they need a digital certificate.
The directory is used to store the certificates. Because the directory stores
the certificates, users can send encrypted email by looking up public keys
stored in the directory.
• creates an ACI that forbids anonymous access to the extranet.
example.com
This protects the extranet from denial of service attacks.
• wants updates to the directory data to come only from a
example.com
hosted application. This means that partners and suppliers
example.com
using the extranet can only use the tools provided by
Restricting extranet users to
administrators to use the audit logs to track the use of the
example.com
directory and limits the types of problems that can be introduced by
extranet users outside of
's preferred tools allows
example.com
International.
example.com
Chapter 8
A Multinational Enterprise and its Extranet
.
example.com
Directory Design Examples 187