HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

231

232

233

234

235

236

237

238

239

240

6 Managing access control

HP-UX Directory Server allows you to control access to your directory. This chapter describes

the how to implement access control. To take full advantage of the power and flexibility of access

control, while you are in the planning phase for your directory deployment, define an access

control strategy as an integral part of your overall security policy.

Topics include:

• “Access control principles” (page 233)

• “Default ACIs” (page 235)

• “Creating ACIs manually” (page 235)

• “Bind rules” (page 243)

• “Creating ACIs from the console” (page 256)

• “Viewing ACIs” (page 264)

• “Checking access rights on entries (get effective rights)” (page 264)

• “Logging access control information” (page 274)

• “Access control usage examples” (page 274)

• “Advanced access control: Using macro ACIs” (page 287)

• “Access control and replication” (page 291)

• “Compatibility with earlier releases” (page 291)

6.1 Access control principles

The mechanism that defines user access is called access control. When the server receives a

request, it uses the authentication information provided by the user in the bind operation and

the access control instructions (ACIs) defined in the server to allow or deny access to directory

information. The server can allow or deny permissions for actions on entries like read, write,

search, and compare. The permission level granted to a user may depend on the authentication

information provided.

Access control in Directory Server is flexible enough to provide very precise rules on when the

ACIs are applicable:

• For the entire directory, a subtree of the directory, specific entries in the directory (including

entries defining configuration tasks), or a specific set of entry attributes.

• For a specific user, all users belonging to a specific group or role, or all users of the directory.

• For a specific location such as an IP address or a DNS name.

6.1.1 ACI structure

Access control instructions are stored in the directory as attributes of entries. The aci attribute

is an operational attribute; it is available for use on every entry in the directory, regardless of

whether it is defined for the object class of the entry. It is used by the Directory Server to evaluate

what rights are granted or denied when it receives an LDAP request from a client. The aci

attribute is returned in an ldapsearch operation if specifically requested.

The three main parts of an ACI statement are:

• Target

• Permission

• Bind Rule

The permission and bind rule portions of the ACI are set as a pair, also called an access control

rule (ACR). The specified permission is granted or denied depending on whether the

accompanying rule is evaluated to be true.

6.1 Access control principles 233