Table of Contents
Advertisement
Access Control and Replication
In order to evaluate the
part of the ACI, the server looks at the
attribute
roledn
ou
stored in the targeted entry, and uses the value of this attribute to expand the
macro. Therefore, in the example, the
is expanded as follows:
roledn
roledn =
"ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,
dc=example,dc=com"
The Directory Server then evaluates the ACI according to the normal ACI
evaluation algorithm.
When an attribute is multi-valued, each value is used to expand the macro, and the
first one that provides a successful match is used.
Consider this example:
dn: cn=Jane Doe,ou=People,dc=HostedCompany1,dc=example,dc=com
cn: Jane Doe
sn: Doe
ou: Engineering, dc=HostedCompany1, dc=example,dc=com
ou: People, dc=HostedCompany1,dc=example,dc=com
...
In this case, when the Directory Server evaluates the ACI it performs a logical
OR on the following expanded expressions:
roledn =
"ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,
dc=example,dc=com"
roledn = "ldap:///cn=DomainAdmins,ou=People,dc=HostedCompany1,
dc=example,dc=com"
Access Control and Replication
ACIs are stored as attributes of entries, therefore, if an entry containing ACIs is part
of a replicated database, the ACIs are replicated like any other attribute.
ACIs are always evaluated on the Directory Server that services the incoming
LDAP requests. This means that when a consumer server receives an update
request, it will return a referral to the master server before evaluating whether the
request can be serviced or not on the master.
Chapter 6
Managing Access Control
263
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the NETSCAPE DIRECTORY SERVER 6.2 - ADMINISTRATOR and is the answer not in the manual?
Questions and answers