Entries

(targattrfilters="add=objectClass:(objectClass=groupOfNames)")

The LDIF statement should read as follows:

(targattrfilters="add=objectClass:(objectClass=groupOfNames)")

(targetattr = "*") (target="ldap:///ou=social

committee,dc=example,dc=com)

(version 3.0; acl "Create Group"; allow (read,search,add)

(userdn= "ldap:///all") and (dns="*.example.com"); )

8. Click OK.

The new ACI is added to the ones listed in the Access Control Manager window.

9.5.2. ACI "Delete Group"

In LDIF, to grant example.com employees the right to modify or delete a group entry which they own under the ou=Social Committee branch, write the following statement:

aci: (target="ou=social committee,dc=example,dc=com) (targattrfilters="del=objectClass:(objectClass=groupOfNames)") (version 3.0; acl "Delete Group"; allow (delete) userattr= "owner#GROUPDN";)

This example assumes that the aci is added to the ou=social committee,

dc=example,dc=com entry.

NOTE

Using the Console is not an effective way of creating this ACI because it requires manually editing the ACI to create the target filter and to check group ownership.

9.6. Granting Conditional Access to a Group or Role

In many cases, when you grant a group or role privileged access to the directory, you want to ensure that those privileges are protected from intruders trying to impersonate your privileged users. Therefore, in many cases, access control rules that grant critical access to a group or role are often associated with a number of conditions.

example.com has created a directory administrator role for each of its hosted companies, HostedCompany1 and HostedCompany2. It wants these companies to be able to manage their own data and implement their own access control rules while securing it against intruders. For this reason, HostedCompany1 and HostedCompany2 have full rights on their respective branches

227

Page 247
Image 247
HP UX Red Hat Direry Server Software manual Granting Conditional Access to a Group or Role, ACI Delete Group, Entries