HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

231

232

233

234

235

236

237

238

239

240

• keyword indicates the type of target.

• equal (=) indicates that the target is the object specified in the expression, and not equal

(!=) indicates the target is not the object specified in the expression.

• expression identifies the target.

The quotation marks ("") around expression are required. What you use for expression is

dependent upon the keyword that you supply.

Table 6-1 “LDIF target keywords” lists each keyword and the associated expressions.

Table 6-1 LDIF target keywords

Wildcard allowedValid expressionsKeyword

Yes

ldap:///distinguished_name

target

Yes

attribute

targetattr

Yes

LDAP_filter

targetfilter

Yes

LDAP_operation:LDAP_filter

targetattrfilters

In all cases, you must keep in mind that when you place an ACI on an entry, if it is not a leaf

entry, the ACI also applies to all entries below it. For example, if you target the entry

ou=accounting,dc=example,dc=com, the permissions you set apply to all entries in the

accounting branch of the example.com tree.

As a counter example, if you place an ACI on the ou=accounting,dc=example,dc=com

entry, you cannot target the uid=sarette,ou=people,dc=example,dc=com entry because

it is not located under the accounting tree.

Be wary of using != when specifying an attribute to deny. ACLs are treated as a logical OR,

which means that if you created two ACLs as shown below, the result allows all values of the

target attribute.

acl1: ( target=...)( targetattr!=a )(version 3.0; acl "name";allow (...)..

acl2: ( target=...)( targetattr!=b )(version 3.0; acl "name";allow (...)..

The first ACL (acl1) allows b and the second ACL (acl2) allows a. The result of these two

ACLs is the same as the one resulting from using an ACL of the following form:

acl3: ( targetattr="*" ) allow (...) ...

In the second example, nothing is denied, which could give rise to security problems.

When you want to deny access to a particular attribute, use deny in the permissions clause rather

than using allow with ( targetattr != value ). For example, usages such as these are

recommended:

acl1: ( target=...)( targetattr=a )(version 3.0; acl "name";deny (...)..

acl2: ( target=...)( targetattr=b )(version 3.0; acl "name";deny (...)..

6.3.2.1 Targeting a directory entry

To target a directory entry (and the entries below it), you must use the target keyword. The

target keyword can accept a value of the following format:

target="ldap:///distinguished_name

This identifies the distinguished name of the entry to which the access control rule applies. For

example:

(target = "ldap:///uid=bjensen,dc=example,dc=com")

6.3 Creating ACIs manually 237