HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

281

282

283

284

285

286

287

288

289

290

NOTE:

Directory Server supports both IPv4 and IPv6 IP addresses.

7. In the Times tab, select the block time corresponding to Monday through Thursday and 8

a.m. to 6 p.m.

A message appears below the table that specifies the selected time block.

8. To enforce SSL authentication from HostedCompany1 administrators, switch to manual

editing by clicking the Edit Manually button. Add the following to the end of the LDIF

statement:

and (authmethod="ssl")

The LDIF statement should be similar to the following:

aci: (targetattr = "*") (target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc=com")

(version 3.0; acl "HostedCompany1"; allow (all) (roledn=

"ldap:///cn=DirectoryAdmin,ou=HostedCompany1,ou=corporate-clients, dc=example,dc=com")

and (dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and timeofday <= "1800")

and (ip="255.255.123.234") and (authmethod="ssl"); )

9. Click OK.

The new ACI is added to the ones listed in the Access Control Manager window.

6.9.7 Denying access

If your directory holds business-critical information, it may be necessary to specifically deny

access to it.

For example, example.com wants all subscribers to be able to read billing information such as

connection time or account balance under their own entries but explicitly wants to deny write

access to that information. This is illustrated in “ACI "Billing Info Read"” and “ACI "Billing Info

Deny"”, respectively.

6.9.7.1 ACI "Billing Info Read"

In LDIF, to grant subscribers permission to read billing information in their own entry, write the

following statement:

aci: (targetattr="connectionTime || accountBalance") (version

3.0; acl "Billing Info Read"; allow (search,read) userdn=

"ldap:///self";)

This example assumes that the relevant attributes have been created in the schema and that the

ACI is added to the ou=subscribers,dc=example,dc=com entry.

From the Console, set this permission by doing the following:

1. In the Directory tab, right-click the Subscribers entry under the example.com node in

the left navigation tree, and choose Set Access Permissions from the pop-up menu to

display the Access Control Manager.

2. Click New to display the Access Control Editor.

3. In the Users/Groups tab, in the ACI name field, type Billing Info Read. In the list of

users granted access permission, do the following:

a. Select and remove All Users, then click Add.

The Add Users and Groups dialog box opens.

b. Set the Search area in the Add Users and Groups dialog box to Special Rights,

and select Self from the search results list.

c. Click the Add button to list Self in the list of users who are granted access permission.

d. Click OK to dismiss the Add Users and Groups dialog box.

6.9 Access control usage examples 283