HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

271

272

273

274

275

276

277

278

279

280

Table 6-8 Returned result codes (continued)

DescriptionCode

Unavailable.52

Unwilling to perform.53

Other.80

6.8 Logging access control information

To obtain information on access control in the errors log, you must set the appropriate log level.

To set the errors log level from the Console:

1. In the Console, click the Directory tab, right-click the config node, and choose Properties

from the pop-up menu.

This displays the Property Editor for the cn=config entry.

2. Scroll down the list of attribute value pairs to locate the nsslapd-errorlog-level attribute.

3. Add 128 to the value already displayed in the nsslapd-errorlog-level value field.

For example, if the value already displayed is 8192 (replication debugging), change the

value to 8320. For complete information on errors log levels, see the HP-UX Directory Server

configuration, command, and file reference.

4. Click OK to dismiss the Property Editor.

6.9 Access control usage examples

The examples provided in this section illustrate how an imaginary ISP company, example.com,

would implement its access control policy. All the examples explain how to perform a given task

from the Console and using an LDIF file.

The business of example.com is to offer a web hosting service and Internet access. Part of

example.com's web hosting service is to host the directories of client companies. example.com

actually hosts and partially manages the directories of two medium-sized companies,

HostedCompany1 and HostedCompany2. It also provides Internet access to a number of

individual subscribers.

These are the access control rules that example.com wants to put in place:

• Grant anonymous access for read, search, and compare to the entire example.com tree for

example.com employees (“Granting anonymous access”).

• Grant write access to example.com employees for personal information, such as homePhone

and homePostalAddress (“Granting write access to personal entries”).

• Grant example.com employees the right to add any role to their entry, except certain critical

roles (“Restricting access to key roles”).

• Grant the example.com Human Resources group all rights on the entries in the People

branch (“Granting a group full access to a suffix”).

• Grant all example.com employees the right to create group entries under the Social

Committee branch of the directory and to delete group entries that they own (“Granting

rights to add and delete group entries”).

• Grant all example.com employees the right to add themselves to group entries under the

Social Committee branch of the directory (“Allowing users to add or remove themselves

from a group”).

• Grant access to the directory administrator (role) of HostedCompany1 and

HostedCompany2 on their respective branches of the directory tree, with certain conditions

such as SSL authentication, time and date restrictions, and specified location (“Granting

conditional access to a group or role”).

274 Managing access control