HP-UX Directory Server 8.1 deployment guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

121

122

123

124

125

126

127

128

129

130

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

uid: tmorris

cn: Ted Morris

userPassword: {SSHA}bz0uCmHZM5b357zwrCUCJs1IOHtMD6yqPyhxBA==

entryLevelRights: vadn

attributeLevelRights: givenName:rsc, sn:rsc, ou:rsc, l:rscow, man\

ager:rsc, roomNumber:rscwo, mail:rscwo, facsimileTelephoneNumber:rscwo,

objectClass:rsc, uid:rsc, cn:rsc, userPassword:wo

In this example, Ted Morris has the right to add, view, delete, or rename the DN on his own

entry, as shown by the results in entryLevelRights. He can read, search, compare, self-modify,

or self-delete the location (l) attribute but only self-write and self-delete rights to his password,

as shown in the attributeLevelRights result.

By default, effective rights information is not returned for attributes in an entry that do not have

a value or which do not exist in the entry. For example, if the userPassword value is removed,

then a future effective rights search on the above entry would not return any effective rights for

userPassword, even though self-write and self-delete rights could be allowed. Similarly, if the

street attribute were added with read, compare, and search rights, then street: rsc would

appear in the attributeLevelRights results.

It is possible to return rights for attributes which are not normally included in the search results,

like non-existant attributes or operational attributes. Using an asterisk (*) returns the rights for

all possible attributes for an entry, including non-existant attributes.

ldapsearch -J

1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=scarter,ou=people,dc=example,dc=com

"(objectclass=*)" "*"

Using the plus sign (+) returns operational attributes for the entry, which are not normally

returned in an ldapsearch asterisk (*). For example:

ldapsearch -J

1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=scarter,ou=people,dc=example,dc=com

"(objectclass=*)" "+"

The asterisk (*) and the plus sign (+) can be used together to return every attribute for the entry.

Get effective rights for existing attributes are also visible in the Directory Server Console. Open

the Advanced Properties editor for the user entry, then select the Show effective rights

checkbox. This displays the attribute-level rights (r, s, c, w, o) next to the attributes listed in the

main window and the entry-level rights (v, a, d, n) underneath the entry's DN at the bottom of

the window.

For more information about using get effective rights options with ldapsearch, see the

Administrator's Guide.

8.7.4 Using ACIs: Some hints and tricks

Keep this tips in mind when implementing the security policy. They can help to lower the

administrative burden of managing the directory security model and improve the directory's

performance characteristics.

• Minimize the number of ACIs in the directory.

Although the Directory Server can evaluate over 50,000 ACIs, it is difficult to manage a large

number of ACI statements. A large number of ACIs makes it hard for human administrators

to immediately determine the directory object available to particular clients.

Directory Server minimizes the number of ACIs in the directory by using macros. Macros

are placeholders that are used to represent a DN, or a portion of a DN, in an ACI. Use the

macro to represent a DN in the target portion of the ACI or in the bind rule portion, or both.

122 Designing a secure directory