HP-UX Directory Server 8.1 deployment guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

111

112

113

114

115

116

117

118

119

120

8.7 Designing access control

After deciding on the authentication schemes to use to establish the identity of directory clients,

decide how to use those schemes to protect the information contained in the directory. Access

control can specify that certain clients have access to particular information, while other clients

do not.

Access control is defined using one or more access control lists (ACLs). The directory's ACLs

consist of a series of one or more access control information (ACI) statements that either allow

or deny permissions (such as read, write, search, and compare) to specified entries and their

attributes.

Using the ACL, permissions can be set at any level of the directory tree:

• The entire directory.

• A particular subtree of the directory.

• Specific entries in the directory.

• A specific set of entry attributes.

• Any entry that matches a given LDAP search filter.

In addition, permissions can be set for a specific user, for all users belonging to a specific group,

or for all users of the directory. Lastly, access can be defined for a network location such as an

IP address or a DNS name.

8.7.1 About the ACI format

When designing the security policy, it is helpful to understand how ACIs are represented in the

directory. It is also helpful to understand what permissions can be set in the directory. This

section gives a brief overview of the ACI mechanism. For a complete description of the ACI

format, refer to the HP-UX Directory Server administrator guide.

Directory ACIs use the following general form: target permission bind_rule

The ACI variables are defined below:

• target

Specifies the entry (usually a subtree) that the ACI targets, the attribute it targets, or both.

The target identifies the directory element that the ACI applies to. An ACI can target only

one entry, but it can target multiple attributes. In addition, the target can contain an LDAP

search filter. Permissions can be set for widely scattered entries that contain common attribute

values.

• permission

Identifies the actual permission being set by this ACI. The permission variable states that

the ACI is allowing or denying a specific type of directory access, such as read or search, to

the specified target.

• bind rule

Identifies the bind DN or network location to which the permission applies. The bind rule

may also specify an LDAP filter, and if that filter is evaluated to be true for the binding client

application, then the ACI applies to the client application.

ACIs can therefore be expressed as follows: "For the directory object target, allow or deny

permission if bind_rule is true."

permission and bind_rule are set as a pair, and there can be multiple permission-bind_rule pairs

for every target. Multiple access controls can be effectively set for any given target. For example:

target (permission bind_rule)(permission bind_rule)...

8.7 Designing access control 117