HP-UX Directory Server 8.1 deployment guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

111

112

113

114

115

116

117

118

119

120

A permission can be set to allow anyone binding as Babs Jensen to write to Babs Jensen's telephone

number. The bind rule in this permission is the part that states "if you bind as Babs Jensen." The

target is Babs Jensen's phone number, and the permission is write access.

8.7.1.1 Targets

Decide which entry is targeted by every ACI created in the directory. Targeting a directory branch

point entry includes that branch point and all its child entries in the scope of the permission. If

a target entry is not explicitly defined for the ACI, then the ACI is targeted to the directory entry

that contains the ACI statement. Further, the default set of attributes targeted by the ACI is any

attribute available in the targeted entry's object class structure.

For every ACI, only one entry or only those entries that match a single LDAP search filter can

be targeted.

In addition to targeting entries, it is possible to target attributes on the entry; this applies the

permission to only a subset of attribute values. Target sets of attributes by explicitly naming

those attributes that are targeted or by explicitly naming the attributes that are not targeted by

the ACI. Excluding attributes in the target sets a permission for all but a few attributes allowed

by an object class structure.

8.7.1.2 Permissions

Permissions can either allow or deny access. In general, avoid denying permissions (for the

reasons explained in “Allowing or denying access”). Permissions can be any operation performed

on the directory service:

DescriptionPermission

Indicates whether directory data may be read.Read

Indicates whether directory data may be changed or created. This permission also

allows directory data to be deleted but not the entry itself. To delete an entire entry,

the user must have delete permissions.

Write

Indicates whether the directory data can be searched. This differs from the read

permission in that read allows directory data to be viewed if it is returned as part of

a search operation.

For example, if searching for common names is allowed as well as read permission

for a person's room number, then the room number can be returned as part of the

common name search, but the room number itself cannot be used as the subject of a

search. Use this combination to prevent people from searching the directory to see

who sits in a particular room.

Indicates whether the data may be used in comparison operations. The compare

permission implies the ability to search, but actual directory information is not returned

as a result of the search. Instead, a simple Boolean value is returned which indicates

whether the compared values match. This is used to match userPassword attribute

values during directory authentication.

Compare

Used only for group management. This permission enables a user to add to or delete

themselves from a group.

Self-write

Indicates whether child entries can be created. This permission enables a user to create

child entries beneath the targeted entry.

Add

Indicates whether an entry can be deleted. This permission enables a user to delete

the targeted entry.

Delete

Indicates that the user can use any other DN, except Directory Manager, to access the

directory with the rights of this DN.

Proxy

118 Designing a secure directory