Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software

231

232

233

234

235

236

237

238

239

240

actually hosts and partially manages the directories of two medium-sized companies,

HostedCompany1 and HostedCompany2. It also provides Internet access to a number of

individual subscribers.

These are the access control rules that example.com wants to put in place:

• Grant anonymous access for read, search, and compare to the entire example.com tree for

example.com employees (Section 9.1, “Granting Anonymous Access”).

• Grant write access to example.com employees for personal information, such as homePhone

and homePostalAddress (Section 9.2, “Granting Write Access to Personal Entries”).

• Grant example.com employees the right to add any role to their entry, except certain critical

roles (Section 9.3, “Restricting Access to Key Roles”).

• Grant the example.com Human Resources group all rights on the entries in the People

branch (Section 9.4, “Granting a Group Full Access to a Suffix”).

• Grant all example.com employees the right to create group entries under the Social

Committee branch of the directory and to delete group entries that they own (Section 9.5,

“Granting Rights to Add and Delete Group Entries”).

• Grant all example.com employees the right to add themselves to group entries under the

Social Committee branch of the directory (Section 9.9, “Allowing Users to Add or Remove

Themselves from a Group”).

• Grant access to the directory administrator (role) of HostedCompany1 and HostedCompany2

on their respective branches of the directory tree, with certain conditions such as SSL

authentication, time and date restrictions, and specified location (Section 9.6, “Granting

Conditional Access to a Group or Role”).

• Deny individual subscribers access to the billing information in their own entries (Section 9.7,

“Denying Access”).

• Grant anonymous access to the world to the individual subscribers subtree, except for

subscribers who have specifically requested to be unlisted. (This part of the directory could be

a consumer server outside of the firewall and be updated once a day.) See Section 9.1,

“Granting Anonymous Access” and Section 9.8, “Setting a Target Using Filtering”.

9.1. Granting Anonymous Access

Most directories are run such that you can anonymously access at least one suffix for read,

search, or compare. For example, you might want to set these permissions if you are running a

corporate personnel directory that you want employees to be able to search, such as a

phonebook. This is the case at example.com internally and is illustrated in Section 9.1.1, “ACI

"Anonymous example.com"”.

As an ISP, example.com also wants to advertise the contact information of all of its subscribers

by creating a public phonebook accessible to the world. This is illustrated in Section 9.1.2, “ACI

Granting Anonymous Access

217