Chapter 6. Managing Access Control

4.3. Defining Group Access - groupdn Keyword

Members of a specific group can access a targeted resource. This is known as group access. Group access is defined using the groupdn keyword to specify that access to a targeted entry is granted or denied if the user binds using a DN that belongs to a specific group.

The groupdn keyword requires one or more valid distinguished names in the following format:

groupdn="ldap:///dn [ ldap:///dn]...[ ldap:///dn]"

The bind rule is evaluated to be true if the bind DN belongs to the named group.

NOTE

If a DN contains a comma, the comma must be escaped by a backslash (\).

From the Directory Server Console, you can define specific groups using the Access Control Editor. For more information, see Section 5, “Creating ACIs from the Console”.

ScenExamplerio

 

Description

 

 

 

Groupdngroupdn =

 

The bind rule is evaluated to be true if the bind DN belongs to

keyword"ldap:///cn=Administrators,dc=example,dc=com";

the Administrators group. If you wanted to grant the

containing

 

Administrators group permission to write to the entire directory

an

 

tree, you would create the following ACI on the

LDAP

 

dc=example,dc=com node:

URL

 

aci: (version 3.0; acl "Administrators-write"; allow (write)

 

 

 

 

groupdn="ldap:///cn=Administrators,dc=example,dc=com";)

 

 

 

Groupdngroupdn =

 

The bind rule is evaluated to be true if the bind DN belongs to

keyword"ldap:///cn=Administrators,dc=example,dc=com"

either the Administrators or the Mail Administrators

containing"ldap:///cn=Mail

 

group.

logicalAdministrators,dc=example,dc=com";

 

 

OR

 

 

of

 

 

LDAP

 

 

URLs

 

 

 

 

 

Table 6.5. groupdn Examples

4.4. Defining Role Access - roledn Keyword

Members of a specific role can access a targeted resource. This is known as role access. Role access is defined using the roledn keyword to specify that access to a targeted entry is granted

190

Page 210
Image 210
HP UX Red Hat Direry Server Software manual Defining Group Access groupdn Keyword, Defining Role Access roledn Keyword