HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

241

242

243

244

245

246

247

248

249

250

6.4.5 Defining access based on value matching

You can set bind rules to specify that an attribute value of the entry used to bind to the directory

must match an attribute value of the targeted entry.

For example, you can specify that the bind DN must match the DN in the manager attribute of

a user entry in order for the ACI to apply. In this case, only the user's manager would have access

to the entry.

This example is based on DN matching. However, you can match any attribute of the entry used

in the bind with the targeted entry. For example, you could create an ACI that allowed any user

whose favoriteDrink attribute is beer to read all the entries of other users that have the same

value for favoriteDrink.

6.4.5.1 Using the userattr keyword

The userattr keyword can be used to specify which attribute values must match between the

entry used to bind and the targeted entry. You can specify any of the following:

• A user DN

• A group DN

• A role DN

• An LDAP filter, in an LDAP URL

• Any attribute type

The LDIF syntax of the userattr keyword is as follows:

userattr = "attrName#bindType

Using an attribute type that requires a value other than a user DN, group DN, role DN, or an

LDAP filter has the following format:

userattr = "attrName#attrValue

• attrName is the name of the attribute used for value matching.

• bindType is either USERDN, GROUPDN, or LDAPURL.

• attrValue is any string representing an attribute value.

6.4.5.1.1 Example with USERDN bind type

The following associates the userattr keyword with a bind based on the user DN:

userattr = "manager#USERDN"

The bind rule is evaluated to be true if the bind DN matches the value of the manager attribute

in the targeted entry. You can use this to allow a user's manager to modify employees' attributes.

This mechanism only works if the manager attribute in the targeted entry is expressed as a full

DN.

The following example grants a manager full access to his or her employees' entries:

aci: (target="ldap:///dc=example,dc=com")(targetattr=*)

(version 3.0; acl "manager-write"; allow (all) userattr = "manager#USERDN";)

6.4.5.1.2 Example with GROUPDN bind type

The following associates the userattr keyword with a bind based on a group DN:

userattr = "owner#GROUPDN"

The bind rule is evaluated to be true if the bind DN is a member of the group specified in the

owner attribute of the targeted entry. For example, you can use this mechanism to allow a group

to manage employees' status information. You can use an attribute other than owner as long as

the attribute you use contains the DN of a group entry.

The group you point to can be a dynamic group, and the DN of the group can be under any

suffix in the database. However, the evaluation of this type of ACI by the server is very resource

intensive.

6.4 Bind rules 249