HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3332, November 2013)
userattr = "parent[inheritance_level].attrName#attrValue
• inheritance_level is a comma-separated list that indicates how many levels below the
target inherits the ACI. You can include five levels (0, 1, 2, 3, 4) below the targeted entry;
zero (0) indicates the targeted entry.
• attribute is the attribute targeted by the userattr or groupattr keyword.
• bindType can be one of USERDN, GROUPDN, or LDAPURL.
For example:
userattr = "parent[0,1].manager#USERDN"
This bind rule is evaluated to be true if the bind DN matches the manager attribute of the targeted
entry. The permissions granted when the bind rule is evaluated to be true apply to the target entry
and to all entries immediately below it.
The example in Figure 11 (page 250) indicates that user bjensen is allowed to read and search
the cn=Profiles entry as well as the first level of child entries, which includes cn=mail and
cn=news, thus allowing her to search through her own mail and news IDs.
Figure 11 Using inheritance with the userattr keyword
In this example, if you did not use inheritance, you would have to do one of the following to achieve
the same result:
• Explicitly set read and search access for user bjensen on the cn=Profiles, cn=mail,
and cn=news entries in the directory.
• Add the owner attribute with a value of bjensen to the cn=mail and cn=news entries, then
add the following ACI to the cn=mail and cn=news entries.
aci: (targetattr="*") (version 3.0; acl "profiles access"; allow (read,search)
userattr="owner#USERDN";)
Granting add permission using the userattr keyword
Using the userattr keyword in conjunction with all or add permissions does not behave as
one would typically expect. Typically, when a new entry is created in the directory, Directory
Server evaluates access rights on the entry being created and not on the parent entry. However,
in the case of ACIs using the userattr keyword, this behavior could create a security hole, and
the server's normal behavior is modified to avoid it.
Consider the following example:
aci: (target="ldap:///dc=example,dc=com")(targetattr=*) (version 3.0;
acl "manager-write"; allow (all) userattr = "manager#USERDN";)
This ACI grants managers all rights on the entries of employees that report to them. However,
because access rights are evaluated on the entry being created, this type of ACI would also allow
any employee to create an entry in which the manager attribute is set to their own DN. For example,
disgruntled employee Joe (cn=Joe,ou=eng,dc=example,dc=com) might want to create an
entry in the Human Resources branch of the tree to use (or misuse) the privileges granted to Human
Resources employees.
He could do this by creating the following entry:
250 Managing Access Control