HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

241

242

243

244

245

246

247

248

249

250

(groupdn = "ldap:///ou=Groups, dc=example,dc=com??sub?(cn=*s_0)" or

groupdn = "ldap:///ou=Groups,dc=example,dc=com??sub?(cn=*s_1)") and

groupdn = "ldap:///ou=Groups, dc=example,dc=com??sub?(cn=*s_2)"

When stringing multiple groupdn URLs together, the keyword supports pipes to separate the

URLs:

groupdn = "LDAPURI0 || LDAPURL1 || LDAPURL2"

However, it is not permissible to use ampersands (&) as part of the expressions, such as groupdn

= "LDAPURI0 && LDAPURL1", or double quotes, such as userdn = "ldap:///cn=Ralph

"the doc" Wellman".

For example, to use two groupdn keywords so that the bind user must belong to both an

Administrators group and a Managers group:

groupdn="ldap:///dc=example,dc=com??sub?(cn=*Administrators)" and group\

dn="ldap:///dc=example,dc=com??sub?(cn=*Managers)"

For more information about LDAP URLs, see Appendix C “LDAP URLs”.

The Directory Server Console defines specific groups through the Access Control Editor. For

more information, see “Creating ACIs from the console”.

Table 6-5 groupdn examples

DescriptionExampleScenario

The bind rule is evaluated to be true if the bind

DN belongs to the Administrators group. If you

wanted to grant the Administrators group

permission to write to the entire directory tree,

you would create the following ACI on the

dc=example,dc=com node:

aci: (targetattr=*)(version 3.0; acl

"Administrators-write"; allow

(write)

groupdn="ldap:///cn=Administrators,dc=example,dc=com";)

groupdn =

"ldap:///cn=Administrators,dc=example,dc=com";

Groupdn

keyword

containing an

LDAP URL

The bind rule is evaluated to be true if the bind

DN belongs to any of the groups which are

returned, meaning they match the filter.

groupdn =

"ldap:///dc=example,dc=com??sub?(cn=*Administrators)";

Groupdn

keyword

containing an

LDAP URL with

a filter

The bind rule is evaluated to be true if the bind

DN belongs to either the Administrators or

the Mail Administrators group.

groupdn =

"ldap:///cn=Administrators,dc=example,dc=com"

|| "ldap:///cn=Mail

Administrators,dc=example,dc=com";

Groupdn

keyword

containing

logical OR of

LDAP URLs

6.4.4 Defining role access - roledn keyword

Members of a specific role can access a targeted resource. This is known as role access. Role access

is defined using the roledn keyword to specify that access to a targeted entry is granted or

denied if the user binds using a DN that belongs to a specific role.

The roledn keyword requires one or more valid distinguished names in the following format:

roledn = "ldap:///dn [|| ldap:///dn]... [|| ldap:///dn]"

The bind rule is evaluated to be true if the bind DN belongs to the specified role.

NOTE:

If a DN contains a comma, the comma must be escaped by a backslash (\).

The roledn keyword has the same syntax and is used in the same way as the groupdn keyword,

with the exception of the LDAP filter, which is not implemented for role membership.

248 Managing access control