Table of Contents
Advertisement
Using Roles
However, in some security contexts it is inappropriate to have such open roles. For
example, consider account inactivation roles. By default, account inactivation roles
contain ACIs defined for their suffix. When creating a role, the server administrator
decides whether a user can assign themselves to or remove themselves from the
role.
For example, user A possesses the managed role, MR. The MR role has been locked
using account inactivation through the command line. This means that user A
cannot bind to the server because the
"true" for that user. However, suppose the user was already bound and noticed
that he is now locked through the MR role. If there are no ACIs preventing him, the
user can remove the
To prevent users from removing the
depending upon the type of role being used.
Managed roles. For entries that are members of a managed role, use the following
ACI to prevent users from unlocking themselves by removing the appropriate
nsRoleDN
aci: (targetattr="nsRoleDN")
add=nsRoleDN:(!(nsRoleDN=cn=AdministratorRole,dc=example,dc=com
)),
del=nsRoleDN:(!(nsRoleDN=cn=nsManagedDisabledRole,dc=example,dc
=com))")
(version3.0;aci "allow mod of nsRoleDN by self
Filtered roles. The attributes that are part of the filter should be protected so that
the user cannot relinquish the filtered role by modifying an attribute. The user
should not be allowed to add, delete, and modify the attribute used by the filtered
role. If the value of the filter attribute is computed, then all attributes that can
modify the value of the filter attribute should be protected in the same way.
Nested roles. A nested role is comprised of filtered and managed roles, so the
above points should be considered for each of the roles that comprise the nested
role.
For more information about account inactivation, see "Inactivating Users and
Roles," on page 280.
176
Netscape Directory Server Administrator's Guide • December 2003
nsRoleDN
:
(targattrfilters="
but not to critical values";
allow(write)
userdn="ldap:///self";)
nsAccountLock
attribute from his entry and unlock himself.
attribute, use the following ACIs
nsRoleDN
attribute is computed as
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.2 - ADMINISTRATOR
Related Products for Netscape NETSCAPE DIRECTORY SERVER 6.2 - ADMINISTRATOR
- Netscape NETSCAPE DIRECTORY SERVER 6.01 - ADMINISTRATOR
- Netscape NETSCAPE DIRECTORY SERVER 6.01 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 6.02 - ADMINISTRATOR
- Netscape NETSCAPE DIRECTORY SERVER 6.02 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR
- Netscape NETSCAPE DIRECTORY SERVER 6.2 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 6.1 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 6.2 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 6.0
- Netscape NETSCAPE DIRECTORY SERVER 6.0 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 6.01 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 6.02 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 7.0 - PLUG-IN
- Netscape NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT
- Netscape NETSCAPE DIRECTORY SERVER 7.0 - GATEWAY CUSTOMIZATION
- Netscape ENTERPRISE SERVER 6.0
Need help?
Do you have a question about the NETSCAPE DIRECTORY SERVER 6.2 - ADMINISTRATOR and is the answer not in the manual?