HP-UX Directory Server 8.1 deployment guide
For more information on macro ACIs, refer to the "Managing Access Control" chapter in the
HP-UX Directory Server administrator guide.
• Balance allow and deny permissions.
Although the default rule is to deny access to any user who has not been specifically granted
access, it may be better to reduce the number of ACIs by using one ACI to allow access close
to the root of the tree, and a small number of deny ACIs close to the leaf entries. This scenario
can avoid the use of multiple allow ACIs close to the leaf entries.
• Identify the smallest set of attributes on any given ACI.
When allowing or denying access to a subset of attributes on an object, determine whether
the smallest list is the set of attributes that are allowed or the set of attributes that are denied.
Then express the ACI so that it only requires managing the smallest list.
For example, the person object class contains a large number of attributes. To allow a user
to update only one or two of these attributes, write the ACI so that it allows write access for
only those few attributes. However, to allow a user to update all but one or two attributes,
create the ACI so that it allows write access for everything but a few named attributes.
• Use LDAP search filters cautiously.
Search filters do not directly name the object for which you are managing access.
Consequently their use can produce unexpected results. This is especially true as the directory
becomes more complex. Before using search filters in ACIs, run an ldapsearch operation
using the same filter to make clear what the results of the changes mean to the directory.
• Do not duplicate ACIs in differing parts of the directory tree.
Guard against overlapping ACIs. For example, if there is an ACI at the directory root point
that allows a group write access to the commonName and givenName attributes, and another
ACI that allows the same group write access for only the commonName attribute, then consider
reworking the ACIs so that only one control grants the write access for the group.
As the directory grows more complex, the risk of accidentally overlapping ACIs quickly
increases. By avoiding ACI overlap, security management becomes easier while potentially
reducing the total number of ACIs contained in the directory.
• Name ACIs.
While naming ACIs is optional, giving each ACI a short, meaningful name helps with
managing the security model, especially when examining ACIs from the Directory Server
Console.
• Group ACIs as closely together as possible within the directory.
Try to limit ACI placement to the directory root point and to major directory branch points.
Grouping ACIs helps to manage the total list of ACIs, as well as helping keep the total
number of ACIs in the directory to a minimum.
• Avoid using double negatives, such as deny write if the bind DN is not equal
to cn=Joe.
Although this syntax is perfectly acceptable for the server, it is confusing for a human
administrator.
8.8 Database encryption
Information is stored in a database in plain text. Consequently, some extremely sensitive
information, such as government identification numbers or passwords, may not be sufficiently
protected by access control measures. It may be possible to gain access to a server's persistent
storage files, either directly through the file system or by accessing discarded disk drives or
archive media.
8.8 Database encryption 123