Chapter 6. Managing Access Control

7.To create the value-based filter for roles, switch to manual editing by clicking the Edit Manually button. Add the following to the beginning of the LDIF statement:

(targattrfilters="add=nsroledn:(nsroledn != "cn=superAdmin, dc=example,dc=com")")

The LDIF statement should read as follows:

(targattrfilters="add=nsroledn:(nsroledn != "cn=superAdmin, dc=example,dc=com")") (targetattr = "*") (target = "ldap:/// ou=example-people,dc=example,dc=com") (version 3.0; acl "Roles"; allow (write) (userdn = "ldap:///self") and (dns="*.example.com");)

8.Click OK.

The new ACI is added to the ones listed in the Access Control Manager window.

9.4. Granting a Group Full Access to a Suffix

Most directories have a group that is used to identify certain corporate functions. These groups can be given full access to all or part of the directory. By applying the access rights to the group, you can avoid setting the access rights for each member individually. Instead, you grant users these access rights simply by adding them to the group.

For example, when the Directory Server is set up with a typical process, an administrators group with full access to the directory is created by default.

At example.com, the Human Resources group is allowed full access to the ou=example-peoplebranch of the directory so that they can update the employee database. This is illustrated in Section 9.4.1, “ACI "HR"”.

9.4.1. ACI "HR"

In LDIF, to grant the HR group all rights on the employee branch of the directory, use the following statement:

aci: (version 3.0; acl "HR"; allow (all) userdn=

"ldap:///cn=HRgroup,ou=example-people,dc=example,dc=com";)

This example assumes that the ACI is added to the ou=example-people,dc=example,dc=comentry.

From the Console, set this permission by doing the following:

1.In the Directory tab, right-click the example-peopleentry under the example.com node in the left navigation tree, and choose Set Access Permissions from the pop-up menu to

224

Page 244
Image 244
HP UX Red Hat Direry Server Software manual Granting a Group Full Access to a Suffix, Aci Hr