8.7 Designing access control

After deciding on the authentication schemes to use to establish the identity of directory clients, decide how to use those schemes to protect the information contained in the directory. Access control can specify that certain clients have access to particular information, while other clients do not.

Access control is defined using one or more access control lists (ACLs). The directory's ACLs consist of a series of one or more access control information (ACI) statements that either allow or deny permissions (such as read, write, search, and compare) to specified entries and their attributes.

Using the ACL, permissions can be set at any level of the directory tree:

The entire directory.

A particular subtree of the directory.

Specific entries in the directory.

A specific set of entry attributes.

Any entry that matches a given LDAP search filter.

In addition, permissions can be set for a specific user, for all users belonging to a specific group, or for all users of the directory. Lastly, access can be defined for a network location such as an IP address or a DNS name.

8.7.1 About the ACI format

When designing the security policy, it is helpful to understand how ACIs are represented in the directory. It is also helpful to understand what permissions can be set in the directory. This section gives a brief overview of the ACI mechanism. For a complete description of the ACI format, refer to the HP-UX Directory Server administrator guide.

Directory ACIs use the following general form: target permission bind_rule

The ACI variables are defined below:

target

Specifies the entry (usually a subtree) that the ACI targets, the attribute it targets, or both. The target identifies the directory element that the ACI applies to. An ACI can target only one entry, but it can target multiple attributes. In addition, the target can contain an LDAP search filter. Permissions can be set for widely scattered entries that contain common attribute values.

permission

Identifies the actual permission being set by this ACI. The permission variable states that the ACI is allowing or denying a specific type of directory access, such as read or search, to the specified target.

bind rule

Identifies the bind DN or network location to which the permission applies. The bind rule may also specify an LDAP filter, and if that filter is evaluated to be true for the binding client application, then the ACI applies to the client application.

ACIs can therefore be expressed as follows: "For the directory object target, allow or deny permission if bind_rule is true."

permission and bind_rule are set as a pair, and there can be multiple permission-bind_rule pairs for every target. Multiple access controls can be effectively set for any given target. For example:

target (permission bind_rule)(permission bind_rule)...

8.7 Designing access control 117

Page 116 Page 118
Page 117
Image 117
HP UX Direry Server manual Designing access control, About the ACI format
Page 116 Page 118

UX Direry Server specifications

HP UX Directory Server is a robust and scalable solution designed for managing directory information within enterprise networks. Developed by Hewlett-Packard (HP), this server offers an extensive set of features tailored to meet the needs of organizations that require an efficient way to store, manage, and retrieve identity and access data.

One of the key features of HP UX Directory Server is its ability to handle large directories with significant volumes of data. Built on a highly optimized architecture, it provides excellent performance and can support millions of entries without sacrificing speed or reliability. This capability makes it an ideal choice for large-scale deployments in enterprises that require high availability and responsiveness.

In addition to its scalability, HP UX Directory Server supports a wide range of protocols, including LDAP (Lightweight Directory Access Protocol), which ensures seamless integration with diverse applications and systems across various platforms. The server maintains standards compliance, which facilitates interoperability and simplifies administration tasks.

Security is a top priority for HP UX Directory Server, offering an array of features to protect sensitive information. It supports secure data transmission via TLS/SSL protocols, ensuring encrypted communication between clients and servers. Advanced access controls allow administrators to define fine-grained permissions, helping to safeguard directory data against unauthorized access.

Another salient feature of HP UX Directory Server is its replication capabilities. The server can replicate directory data across multiple instances, ensuring data consistency and availability in distributed environments. This feature is essential for businesses operating across different geographical locations or requiring failover solutions for disaster recovery.

HP UX Directory Server also comes equipped with tools for data management, including an intuitive administration console for configuring and monitoring the server. Additionally, it offers customizable schema capabilities, enabling organizations to tailor the directory structure to fit their specific needs.

Integration with existing identity management solutions is streamlined through connectors and APIs, allowing organizations to extend their directory services and enhance user experience.

In summary, HP UX Directory Server is a powerful directory management solution that combines scalability, security, and integration flexibility. Its support for industry standards, advanced replication, and comprehensive administrative tools makes it an essential asset for organizations seeking to manage identity and access efficiently. By leveraging this technology, businesses can improve their operational efficiency and ensure a secure and organized approach to directory management.
Top Page Image Contents