HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

251

252

253

254

255

256

257

258

259

260

When you use the userattr keyword in association with the parent keyword, the syntax is

as follows:

userattr = "parent[inheritance_level].attrName#bindType

Using an attribute type that requires a value other than a user DN, group DN, role DN, or an

LDAP filter, the syntax is as follows:

userattr = "parent[inheritance_level].attrName#attrValue

• inheritance_level is a comma-separated list that indicates how many levels below the

target inherits the ACI. You can include five levels (0, 1, 2, 3, 4) below the targeted entry;

zero (0) indicates the targeted entry.

• attribute is the attribute targeted by the userattr or groupattr keyword.

• bindType can be one of USERDN, GROUPDN, or LDAPURL.

For example:

userattr = "parent[0,1].manager#USERDN"

This bind rule is evaluated to be true if the bind DN matches the manager attribute of the targeted

entry. The permissions granted when the bind rule is evaluated to be true apply to the target

entry and to all entries immediately below it.

The example in Figure 6-1 “Using inheritance with the userattr keyword” indicates that user

bjensen is allowed to read and search the cn=Profiles entry as well as the first level of child

entries, which includes cn=mail and cn=news, thus allowing her to search through her own

mail and news IDs.

Figure 6-1 Using inheritance with the userattr keyword

In this example, if you did not use inheritance, you would have to do one of the following to

achieve the same result:

• Explicitly set read and search access for user bjensen on the cn=Profiles, cn=mail,

and cn=news entries in the directory.

• Add the owner attribute with a value of bjensen to the cn=mail and cn=news entries,

then add the following ACI to the cn=mail and cn=news entries.

aci: (targetattr="*") (version 3.0; acl "profiles access"; allow (read,search)

userattr="owner#USERDN";)

6.4.5.1.7 Granting add permission using the userattr keyword

Using the userattr keyword in conjunction with all or add permissions does not behave as

one would typically expect. Typically, when a new entry is created in the directory, Directory

Server evaluates access rights on the entry being created and not on the parent entry. However,

in the case of ACIs using the userattr keyword, this behavior could create a security hole, and

the server's normal behavior is modified to avoid it.

Consider the following example:

aci: (target="ldap:///dc=example,dc=com")(targetattr=*) (version 3.0;

acl "manager-write"; allow (all) userattr = "manager#USERDN";)

6.4 Bind rules 251