8.7 Designing access control

After deciding on the authentication schemes to use to establish the identity of directory clients, decide how to use those schemes to protect the information contained in the directory. Access control can specify that certain clients have access to particular information, while other clients do not.

Access control is defined using one or more access control lists (ACLs). The directory's ACLs consist of a series of one or more access control information (ACI) statements that either allow or deny permissions (such as read, write, search, and compare) to specified entries and their attributes.

Using the ACL, permissions can be set at any level of the directory tree:

The entire directory.

A particular subtree of the directory.

Specific entries in the directory.A specific set of entry attributes.Any entry that matches a given LDAP search filter.

In addition, permissions can be set for a specific user, for all users belonging to a specific group, or for all users of the directory. Lastly, access can be defined for a network location such as an IP address or a DNS name.

8.7.1 About the ACI format

When designing the security policy, it is helpful to understand how ACIs are represented in the directory. It is also helpful to understand what permissions can be set in the directory. This section gives a brief overview of the ACI mechanism. For a complete description of the ACI format, refer to the HP-UX Directory Server administrator guide.

Directory ACIs use the following general form: target permission bind_ruleThe ACI variables are defined below:target

Specifies the entry (usually a subtree) that the ACI targets, the attribute it targets, or both. The target identifies the directory element that the ACI applies to. An ACI can target only one entry, but it can target multiple attributes. In addition, the target can contain an LDAP search filter. Permissions can be set for widely scattered entries that contain common attribute values.

permission

Identifies the actual permission being set by this ACI. The permission variable states that the ACI is allowing or denying a specific type of directory access, such as read or search, to the specified target.

bind rule

Identifies the bind DN or network location to which the permission applies. The bind rule may also specify an LDAP filter, and if that filter is evaluated to be true for the binding client application, then the ACI applies to the client application.

ACIs can therefore be expressed as follows: "For the directory object target, allow or deny permission if bind_rule is true."

permission and bind_rule are set as a pair, and there can be multiple permission-bind_rule pairs for every target. Multiple access controls can be effectively set for any given target. For example:

target (permission bind_rule)(permission bind_rule)...

8.7 Designing access control 117