HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

231

232

233

234

235

236

237

238

239

240

For more information on how to chain access control evaluation, see “Database links and

access control evaluation”.

• Attributes generated by class of service (CoS) cannot be used in all ACI keywords. Specifically,

you should not use attributes generated by CoS with the following keywords:

— targetfilter (“Targeting entries or attributes using LDAP filters”)

— targattrfilters (“Targeting attributes”)

— userattr (“Using the userattr keyword”)

If you create target filters or bind rules that depend on the value of attributes generated by

CoS, the access control rule will not work. For more information on CoS, see

Chapter 5 “Organizing entries with roles, class of service, and views”.

• Access control rules are always evaluated on the local server. Therefore, it is not necessary

to specify the host name or port number of the server in LDAP URLs used in ACI keywords.

If you do, the LDAP URL is not taken into account at all. For more information on LDAP

URLs, see Appendix C “LDAP URLs”.

6.2 Default ACIs

When the Administration Server is set up, the following default ACIs apply to the directory

information stored in the userRoot database:

• Users can modify a list of common attributes in their own entries, including the mail,

telephoneNumber, userPassword, and seeAlso attributes. Operational and most of

the security attributes, such as aci, nsroledn, and passwordExpirationTime, cannot

be modified by users.

• Users have anonymous access to the directory for search, compare, and read operations.

• The administrator (by default uid=admin,ou=Administrators,

ou=TopologyManagement,o=NetscapeRoot) has all rights except proxy rights.

• All members of the Configuration Administrators group have all rights except proxy

rights.

• All members of the Directory Administrators group have all rights except proxy

rights.

• Server Instance Entry (SIE) group.

The NetscapeRoot subtree has its own set of default ACIs:

• All members of the Configuration Administrators group have all rights on the

NetscapeRoot subtree except proxy rights.

• Users have anonymous access to the NetscapeRoot subtree for search and read operations.

• All authenticated users have search, compare, and read rights to configuration attributes

that identify the Administration Server.

• Group expansion.

The following sections explain how to modify these default settings.

6.3 Creating ACIs manually

You can create access control instructions manually using LDIF statements and add them to your

directory tree using the ldapmodify utility, similar to the instructions in “LDIF update

statements”. The following sections explain in detail how to create the LDIF statements.

6.2 Default ACIs 235