HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

231

232

233

234

235

236

237

238

239

240

NOTE:

Although using LDAP filters can be useful when you are targeting entries and attributes that

are spread across the directory, the results are sometimes unpredictable because filters do not

directly name the object for which you are managing access. The set of entries targeted by a

filtered ACI is likely to change as attributes are added or deleted. Therefore, if you use LDAP

filters in ACIs, you should verify that they target the correct entries and attributes by using the

same filter in an ldapsearch operation.

6.3.2.5 Targeting attribute values using LDAP filters

You can use access control to target specific attribute values. This means that you can grant or

deny permissions on an attribute if that attribute's value meets the criteria defined in the ACI.

An ACI that grants or denies access based on an attribute's value is called a value-based ACI.

For example, you might grant all users in your organization permission to modify the nsroledn

attribute in their own entry. However, you would also want to ensure that they do not give

themselves certain key roles, such as Top Level Administrator. LDAP filters are used to

check that the conditions on attribute values are satisfied.

To create a value-based ACI, you must use the targattrfilters keyword with the following

syntax:

(targattrfilters="add=attr1:F1 && attr2:F2... && attrn:Fn,

del=attr1:F1 && attr2:F2 ... && attrn:Fn")

• add represents the operation of creating an attribute.

• del represents the operation of deleting an attribute.

• attrx represents the target attributes.

• Fx represents filters that apply only to the associated attribute.

When creating an entry, if a filter applies to an attribute in the new entry, then each instance of

that attribute must satisfy the filter. When deleting an entry, if a filter applies to an attribute in

the entry, then each instance of that attribute must also satisfy the filter.

When modifying an entry, if the operation adds an attribute, then the add filter that applies to

that attribute must be satisfied; if the operation deletes an attribute, then the delete filter that

applies to that attribute must be satisfied. If individual values of an attribute already present in

the entry are replaced, then both the add and delete filters must be satisfied.

For example, consider the following attribute filter:

(targattrfilters="add=nsroledn:(!(nsroledn=cn=superAdmin)) && telephoneNumber:(telephoneNumber=123*)")

This filter can be used to allow users to add any role (nsroledn attribute) to their own entry,

except the superAdmin role. It also allows users to add a telephone number with a 123 prefix.

NOTE:

You cannot create value-based ACIs from the Directory Server Console.

6.3.2.6 Targeting a single directory entry

Targeting a single directory entry is not straightforward because it goes against the design

philosophy of the access control mechanism. However, it can be done in either of two ways:

• By creating a bind rule that matches user input in the bind request with an attribute value

stored in the targeted entry. For more details, see “Defining access based on value matching”.

• By using the targetattr and targetfilter keywords.

You can use the targetattr keyword to specify an attribute that is only present in the entry

you want to target, and not in any of the entries below your target. For example, if you want to

240 Managing access control