HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

201

202

203

204

205

206

207

208

209

210

To create a role-based attribute, use the nsRole attribute as the cosSpecifier in the CoS

definition entry of a classic CoS. Because the nsRole attribute can be multivalued, CoS schemes

can be defined that have more than one possible template entry. To resolve the ambiguity of

which template entry to use, include the cosPriority attribute in the CoS template entry.

For example, this CoS allows members of the manager role to exceed the standard mailbox quota.

The manager role entry is:

dn: cn=ManagerRole,ou=people,dc=example,dc=com

objectclass: top

objectclass: nsRoleDefinition

objectclass: nsComplexRoleDefinition

objectclass: nsFilteredRoleDefinition

cn: ManagerRole

nsRoleFilter: o=managers

Description: filtered role for managers

The classic CoS definition entry looks like:

dn: cn=managerCOS,dc=example,dc=com

objectclass: top

objectclass: cosSuperDefinition

objectclass: cosClassicDefinition

cosTemplateDn: cn=managerCOS,dc=example,dc=com

cosSpecifier: nsRole

cosAttribute: mailboxquota override

The cosTemplateDn attribute provides a value that, in combination with the attribute specified

in the cosSpecifier attribute (in the example, the nsRole attribute of the target entry),

identifies the CoS template entry. The CoS template entry provides the value for the

mailboxquota attribute. An additional qualifier of override tells the CoS to override any

existing mailboxquota attributes values in the target entry.

The corresponding CoS template entry looks as follows:

dn:cn="cn=ManagerRole,ou=people,dc=example,dc=com",cn=managerCOS,dc=example,dc=com

objectclass: top

objectclass: extensibleObject

objectclass: cosTemplate

mailboxquota: 1000000

The template provides the value for the mailboxquota attribute, 1000000.

NOTE:

The role entry and the CoS definition and template entries should be located at the same level

in the directory tree.

5.2.5 Access control and CoS

The server controls access to attributes generated by a CoS in exactly the same way as regular

stored attributes. However, access control rules depending upon the value of attributes generated

by CoS will not work. This is the same restriction that applies to using CoS-generated attributes

in search filters.

5.3 Using views

Virtual directory tree views, or views, create a virtual directory hierarchy, so it is easy to navigate

entries, without having to make sure those entries physically exist in any particular place. The

view uses information about the entries to place them in the view hierarchy, similarly to members

of a filtered role or a dynamic group. Views superimpose a directory tree (DIT) hierarchy over

a set of entries, and to client applications, views appear as ordinary container hierarchies.

Views create a directory tree similar to the regular hierarchy, such as using organizational unit

entries for subtrees, but views entries have an additional object class (nsview) and a filter attribute

(nsviewfilter) that set up a filter for the entries that belong in that view. After the view

210 Organizing entries with roles, class of service, and views