Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
251252253254255256257258259260
userdn="ldap://uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com")
With this ACI in place, the MoneyWizAcctSoftware client application can bind to the directory
and send an LDAP command such as ldapsearch or ldapmodify that requires the access
rights of the proxy DN.
If the client performs an ldapsearch command, the command must include the following
controls:
ldapmodify -D "uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com"
-w secretpwd
-y "uid=AcctAdministrator,ou=Administrators,dc=example,dc=com"
The client or application (MoneyWizAcctSoftware) binds as itself but is granted the privileges
of the proxy entry (AcctAdministrator). The client does not need the password of the proxy
entry.
NOTE
There are some restrictions on binding with proxy authorization. You cannot use
the Directory Manager's DN (root DN) as a proxy DN. Additionally, if Directory
Server receives more than one proxied authentication control, an error is
returned to the client application, and the bind attempt is unsuccessful.
10. Advanced Access Control: Using Macro ACIs
In organizations that use repeating directory tree structures, it is possible to optimize the
number of ACIs used in the directory by using macros. Reducing the number of ACIs in your
directory tree makes it easier to manage your access control policy and improves the efficiency
of ACI memory usage.
Macros are placeholders that are used to represent a DN, or a portion of a DN, in an ACI. You
can use a macro to represent a DN in the target portion of the ACI or in the bind rule portion, or
both. In practice, when Directory Server gets an incoming LDAP operation, the ACI macros are
matched against the resource targeted by the LDAP operation. If there is a match, the macro is
replaced by the value of the DN of the targeted resource. Directory Server then evaluates the
ACI normally.
10.1. Macro ACI Example
Figure 6.3, “Example Directory Tree for Macro ACIs” shows a directory tree which uses macro
ACIs to effectively reduce the overall number of ACIs. This illustration uses repeating pattern of
Themselves from a Group
235