Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
181182183184185186187188189190
1.2. ACI Placement
If an entry containing an ACI does not have any child entries, the ACI applies to that entry only.
If the entry has child entries, the ACI applies to the entry itself and all entries below it. As a
direct consequence, when the server evaluates access permissions to any given entry, it
verifies the ACIs for every entry between the one requested and the directory suffix, as well as
the ACIs on the entry itself.
The aci attribute is multi-valued, which means that you can define several ACIs for the same
entry or subtree.
An ACI created on an entry can be set so it does not apply directly to that entry but to some or
all of the entries in the subtree below it. The advantage of this is that general ACIs can be
placed at a high level in the directory tree that effectively apply to entries more likely to be
located lower in the tree. For example, an ACI that targets entries that include the
inetorgperson object class can be created at the level of an organizationalUnit entry or a
locality entry.
Minimize the number of ACIs in the directory tree by placing general rules at high level branch
points. To limit the scope of more specific rules, place them as close as possible to leaf entries.
NOTE
ACIs placed in the root DSE entry apply only to that entry.
1.3. ACI Evaluation
To evaluate the access rights to a particular entry, the server compiles a list of the ACIs present
on the entry itself and on the parent entries back up to the top level entry stored on the Directory
Server. ACIs are evaluated across all of the databases for a particular Directory Server but not
across all Directory Server instances.
The evaluation of this list of ACIs is done based on the semantics of the ACIs, not on their
placement in the directory tree. This means that ACIs that are close to the root of the directory
tree do not take precedence over ACIs that are closer to the leaves of the directory tree.
For Directory Server ACIs, the precedence rule is that ACIs that deny access take precedence
over ACIs that allow access. Between ACIs that allow access, union semantics apply, so there
is no precedence.
For example, if you deny write permission at the directory's root level, then none of the users
can write to the directory, regardless of the specific permissions you grant them. To grant a
specific user write permissions to the directory, you have to restrict the scope of the original
denial for write permission so that it does not include the user.
1.4. ACI Limitations
Chapter 6. Managing Access Control
170