Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
181182183184185186187188189190
Managing Access Control
Red Hat Directory Server allows you to control access to your directory. This chapter describes
the how to implement access control. To take full advantage of the power and flexibility of
access control, while you are in the planning phase for your directory deployment, define an
access control strategy as an integral part of your overall security policy.
1. Access Control Principles
The mechanism which defines user access is called access control. When the server receives a
request, it uses the authentication information provided by the user in the bind operation and the
access control instructions (ACIs) defined in the server to allow or deny access to directory
information. The server can allow or deny permissions for actions on entries like read, write,
search, and compare. The permission level granted to a user may depend on the authentication
information provided.
Access control in Directory Server is flexible enough to provide very precise rules on when the
ACIs are applicable:
For the entire directory, a subtree of the directory, specific entries in the directory (including
entries defining configuration tasks), or a specific set of entry attributes.
For a specific user, all users belonging to a specific group or role, or all users of the directory.
For a specific location such as an IP address or a DNS name.
1.1. ACI Structure
Access control instructions are stored in the directory as attributes of entries. The aci attribute
is an operational attribute; it is available for use on every entry in the directory, regardless of
whether it is defined for the object class of the entry. It is used by the Directory Server to
evaluate what rights are granted or denied when it receives an LDAP request from a client. The
aci attribute is returned in an ldapsearch operation if specifically requested.
The three main parts of an ACI statement are:
Target
Permission
Bind Rule
The permission and bind rule portions of the ACI are set as a pair, also called an access control
rule (ACR). The specified permission is granted or denied depending on whether the
accompanying rule is evaluated to be true.
Chapter 6.
169