HP UX Direry Server manual Using ACIs Some hints and tricks

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

uid: tmorris

cn: Ted Morris

userPassword: {SSHA}bz0uCmHZM5b357zwrCUCJs1IOHtMD6yqPyhxBA==

entryLevelRights: vadn

attributeLevelRights: givenName:rsc, sn:rsc, ou:rsc, l:rscow, man\ ager:rsc, roomNumber:rscwo, mail:rscwo, facsimileTelephoneNumber:rscwo, objectClass:rsc, uid:rsc, cn:rsc, userPassword:wo

In this example, Ted Morris has the right to add, view, delete, or rename the DN on his own entry, as shown by the results in entryLevelRights. He can read, search, compare, self-modify, or self-delete the location (l) attribute but only self-write and self-delete rights to his password, as shown in the attributeLevelRights result.

By default, effective rights information is not returned for attributes in an entry that do not have a value or which do not exist in the entry. For example, if the userPassword value is removed, then a future effective rights search on the above entry would not return any effective rights for userPassword, even though self-write and self-delete rights could be allowed. Similarly, if the street attribute were added with read, compare, and search rights, then street: rsc would appear in the attributeLevelRights results.

It is possible to return rights for attributes which are not normally included in the search results, like non-existant attributes or operational attributes. Using an asterisk (*) returns the rights for all possible attributes for an entry, including non-existant attributes.

ldapsearch -J 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=scarter,ou=people,dc=example,dc=com "(objectclass=*)" "*"

Using the plus sign (+) returns operational attributes for the entry, which are not normally returned in an ldapsearch asterisk (*). For example:

ldapsearch -J 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=scarter,ou=people,dc=example,dc=com "(objectclass=*)" "+"

The asterisk (*) and the plus sign (+) can be used together to return every attribute for the entry.

Get effective rights for existing attributes are also visible in the Directory Server Console. Open the Advanced Properties editor for the user entry, then select the Show effective rights checkbox. This displays the attribute-level rights (r, s, c, w, o) next to the attributes listed in the main window and the entry-level rights (v, a, d, n) underneath the entry's DN at the bottom of the window.

For more information about using get effective rights options with ldapsearch, see the Administrator's Guide.

8.7.4 Using ACIs: Some hints and tricks

Keep this tips in mind when implementing the security policy. They can help to lower the administrative burden of managing the directory security model and improve the directory's performance characteristics.

•Minimize the number of ACIs in the directory.

Although the Directory Server can evaluate over 50,000 ACIs, it is difficult to manage a large number of ACI statements. A large number of ACIs makes it hard for human administrators to immediately determine the directory object available to particular clients.

Directory Server minimizes the number of ACIs in the directory by using macros. Macros are placeholders that are used to represent a DN, or a portion of a DN, in an ACI. Use the macro to represent a DN in the target portion of the ACI or in the bind rule portion, or both.

122 Designing a secure directory