Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
251252253254255256257258259260
The new ACI is added to the ones listed in the Access Control Manager window.
9.10. Defining Permissions for DNs That Contain a Comma
DNs that contain commas require special treatment within your LDIF ACI statements. In the
target and bind rule portions of the ACI statement, commas must be escaped by a single
backslash (\). For example:
dn: dc=example.com Bolivia\, S.A.,dc=com
objectClass: top
objectClass: organization
aci: (target="ldap:///dc=example.com Bolivia\,S.A.,dc=com")(targetattr=*)
(version 3.0; acl "aci 2"; allow (all)
groupdn = "ldap:///cn=Directory Administrators,dc=example.com Bolivia\,
S.A.,dc=com";)
9.11. Proxied Authorization ACI Example
Proxied authorization allows one user to bind and perform operation as another user. For
example, example.com has an accounting program which must be able to bind to the directory
as an accounting administrator in order to write data. This authorization assumes three things:
The client application's bind DN is "uid=MoneyWizAcctSoftware,
ou=Applications,dc=example,dc=com".
The targeted subtree to which the client application is requesting access is
ou=Accounting,dc=example,dc=com.
An accounting administrator with access permissions to the
ou=Accounting,dc=example,dc=com subtree exists in the directory.
In order for the client application to gain access to the accounting subtree, using the same
access permissions as the accounting administrator, two ACIs must be set:
The accounting administrator must have access permissions to the
ou=Accounting,dc=example,dc=com subtree, so the following ACI grants all rights to the
accounting administrator entry:
aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*")
(version 3.0; acl "allowAll-AcctAdmin"; allow (all)
userdn="ldap://uid=AcctAdministrator,ou=Administrators,dc=example,dc=com")
There must be an ACI granting proxy rights to the client application in the directory:
aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*")
(version 3.0; acl "allow proxy-accounting software"; allow (proxy)
Chapter 6. Managing Access Control
234