Red Hat Directory Server 8.0 Administrator's Guide

The following entry matches the filter (possesses the o attribute with the value sales

managers), and, therefore, it is a member of this filtered role automatically:

dn: cn=Pat,ou=people,dc=example,dc=com

objectclass: person

cn: Pat

sn: Pat

userPassword: bigsecret

o: sales managers

1.3.3. Example: Nested Role Definition

The Example Corporation administrator is creating a nested role that contains both the

marketing staff and sales managers who are members of the roles marketing managed role and

the sales filtered role.

1. Run ldapmodify:

ldapmodify -D "cn=Directory Manager" -w secret -h host -p 389

2. Create the nested role entry. The nested role has the the nsNestedRoleDefinition object

class, which inherits from the LDAPsubentry, nsRoleDefinition, and

nsComplexRoleDefinition object classes. The nsRoleDN attributes contain the DNs for both

the marketing managed role and the sales managers filtered role.

dn: cn=MarketingSales,ou=people,dc=example,dc=com

objectclass: top

objectclass: LDAPsubentry

objectclass: nsRoleDefinition

objectclass: nsComplexRoleDefinition

objectclass: nsNestedRoleDefinition

cn: MarketingSales

nsRoleDN: cn=SalesManagerFilter,ou=people,dc=example,dc=com

nsRoleDN: cn=Marketing,ou=people,dc=example,dc=com

Both of the users in the previous examples, Bob and Pat, would be members of this new nested

role.

1.4. Using Roles Securely

Not every role is suitable for use in a security context. When creating a new role, consider how

easily the role can be assigned to and removed from an entry. Sometimes it is appropriate for

Chapter 5. Managing Entries with Roles, Class of Service, and Views

142