Manualshelf

LDAP-UX Client Services B.04.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
Installing And Configuring LDAP-UX Client Services
Configure Your Directory
Chapter 222
With Netscape Directory Server for HP-UX, you can use the Netscape
Console or ldapmodify to set up access control instructions (ACI) so
ordinary users cannot change these attributes in their passwd entry in
the directory.
The following access control instruction is by default at the top of the
directory tree for a 6.x Netscape directory. This ACI allows a user to
change any attribute in their passwd entry:
aci: (targetattr = “*”) (version 3.0; acl “Allow self entry modification”;
allow (write)userdn = “ldap:///self”;)
You could modify this example ACI to the following, which prevents
ordinary users from changing their uidnumber, gidnumber,
homedirectory, and uid attributes:
aci: (targetattr != “uidnumber || gidnumber || homedirectory || uid”) (version
3.0; acl “Allow self entry modification, except for important posix attributes”;
allow (write)userdn = “ldap:///self”;)
You may have other attributes you need to protect as well.
To change an ACI with the Netscape Directory Console, select the
Directory tab, select your directory suffix in the left-hand panel, then
select the Object: Set Access Permissions menu item. In the dialog box,
select the “Allow self entry modification” ACI and click OK. Use the Set
Access Permissions dialog box to modify the ACI. See “Managing Access
Control” in the Netscape Directory Server Administrator’s Guide for
complete details.
Step 3. Restrict write access to certain group (posixGroup) attributes of the posix
schema.
Grant write access of the cn, memberuid, gidnumber, and userPassword
attributes only to directory administrators; disallow write access by all
other users.
With Netscape Directory Server for HP-UX, you can use the Netscape
Console or ldapmodify to set up access control lists (ACL) so ordinary
users cannot change these attributes in the posixGroup entry in the
directory. For example, the following ACI, placed in the directory at
ou=groups,ou=unix,o=hp.com, allows only the directory administrator
to modify entries below ou=groups,ou=unix,o=hp.com:
aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group
entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators,
o=hp.com");)