HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

241

242

243

244

245

246

247

248

249

250

Table 6-4 userdn keyword examples (continued)

DescriptionExampleScenario

The bind rule is evaluated to be true for any

valid bind DN. To be true, a valid distinguished

name must be presented by the user for a

successful bind operation.

For example, if you want to grant read access to

the entire tree to all authenticated users, you

would create the following ACI on the

dc=example,dc=com node:

aci:(version 3.0; acl "all-read";

allow (read) userdn="ldap:///all";)

userdn = "ldap:///all";

Userdn keyword

containing the all

keyword

The bind rule is evaluated to be true for anyone;

use this keyword to provide anonymous access

to your directory.

For example, if you want to allow anonymous

read and search access to the entire

example.com tree, you would create the

following ACI on the dc=example,dc=com

node:

aci: (version 3.0; acl

"anonymous-read-search"; allow

(read,search) userdn =

"ldap:///anyone";)

userdn = "ldap:///anyone";

Userdn keyword

containing the

anyone keyword

The bind rule is evaluated to be true if the bind

DN is the parent of the targeted entry.

For example, if you want to grant write access

to every user's child entries, you would create

the following ACI on the dc=example,dc=com

node:

aci:(version 3.0; acl "parent

access"; allow (write)

userdn="ldap:///parent";)

userdn = "ldap:///parent";

Userdn keyword

containing the

parent keyword

6.4.3 Defining group access - groupdn keyword

Members of a specific group can access a targeted resource. This is known as group access. Group

access is defined using the groupdn keyword to specify that access to a targeted entry is granted

or denied if the user binds using a DN that belongs to a specific group.

Group membership can be determined based on the user's DN or by using an LDAP filter to

search for group members.

The groupdn keyword requires one or more valid distinguished names in the following format:

groupdn="ldap:///dn [|| ldap:///dn]...[|| ldap:///dn]"

The bind rule is evaluated to be true if the bind DN belongs to the named group.

NOTE:

If a DN contains a comma, the comma must be escaped by a backslash (\).

The groupdn keyword can also be expressed with an LDAP filter:

groupdn="ldap:///suffix??scope?(filter)

With more complex groupdn syntax, the value of the groupdn expression is a single LDAP

URL. Multiple groupdns can be grouped together within parentheses and use or or and

connectors to define additional conditions on the group membership. For example:

6.4 Bind rules 247