Manualshelf

HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
281282283284285286287288289290
The client or application (MoneyWizAcctSoftware) binds as itself but is granted the privileges
of the proxy entry (AcctAdministrator). The client does not need the password of the proxy
entry.
NOTE:
There are some restrictions on binding with proxy authorization. You cannot use the Directory
Manager's DN (root DN) as a proxy DN. Additionally, if Directory Server receives more than
one proxied authentication control, an error is returned to the client application, and the bind
attempt is unsuccessful.
6.10 Advanced access control: Using macro ACIs
In organizations that use repeating directory tree structures, it is possible to optimize the number
of ACIs used in the directory by using macros. Reducing the number of ACIs in your directory
tree makes it easier to manage your access control policy and improves the efficiency of ACI
memory usage.
Macros are placeholders that are used to represent a DN, or a portion of a DN, in an ACI. You
can use a macro to represent a DN in the target portion of the ACI or in the bind rule portion,
or both. In practice, when Directory Server gets an incoming LDAP operation, the ACI macros
are matched against the resource targeted by the LDAP operation. If there is a match, the macro
is replaced by the value of the DN of the targeted resource. Directory Server then evaluates the
ACI normally.
6.10.1 Macro ACI example
Figure 6-3 “Example directory tree for macro ACIs” shows a directory tree that uses macro ACIs
to effectively reduce the overall number of ACIs. This illustration uses repeating pattern of
subdomains with the same tree structure (ou=groups, ou=people). This pattern is also repeated
across the tree because the example.com directory tree stores the suffixes dc=hostedCompany2,
dc=example,dc=com and dc=hostedCompany3,dc=example,dc=com.
The ACIs that apply in the directory tree also have a repeating pattern. For example, the following
ACI is located on the dc=hostedCompany1,dc=example,dc=com node:
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,dc=example,dc=com";)
This ACI grants read and search rights to the DomainAdmins group to any entry in the
dc=hostedCompany1,dc=example,dc=com tree.
6.10 Advanced access control: Using macro ACIs 287