Chapter 6. Managing Access Control

The new ACI is added to the ones listed in the Access Control Manager window.

9.10. Defining Permissions for DNs That Contain a Comma

DNs that contain commas require special treatment within your LDIF ACI statements. In the target and bind rule portions of the ACI statement, commas must be escaped by a single backslash (\). For example:

dn: dc=example.com Bolivia\, S.A.,dc=com

objectClass: top

objectClass: organization

aci: (target="ldap:///dc=example.com Bolivia\,S.A.,dc=com")(targetattr=*) (version 3.0; acl "aci 2"; allow (all)

groupdn = "ldap:///cn=Directory Administrators,dc=example.com Bolivia\, S.A.,dc=com";)

9.11. Proxied Authorization ACI Example

Proxied authorization allows one user to bind and perform operation as another user. For example, example.com has an accounting program which must be able to bind to the directory as an accounting administrator in order to write data. This authorization assumes three things:

The client application's bind DN is"uid=MoneyWizAcctSoftware, ou=Applications,dc=example,dc=com".

The targeted subtree to which the client application is requesting access is ou=Accounting,dc=example,dc=com.

An accounting administrator with access permissions to the ou=Accounting,dc=example,dc=com subtree exists in the directory.

In order for the client application to gain access to the accounting subtree, using the same access permissions as the accounting administrator, two ACIs must be set:

The accounting administrator must have access permissions to the ou=Accounting,dc=example,dc=com subtree, so the following ACI grants all rights to the accounting administrator entry:

aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*")

(version 3.0; acl "allowAll-AcctAdmin"; allow (all)

userdn="ldap://uid=AcctAdministrator,ou=Administrators,dc=example,dc=com")

• There must be an ACI granting proxy rights to the client application in the directory:

aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*")

(version 3.0; acl "allow proxy-accounting software"; allow (proxy)

234

Page 254
Image 254
HP UX Red Hat Direry Server Software Defining Permissions for DNs That Contain a Comma, Proxied Authorization ACI Example