Access Control Principles
Chapter 6
Managing Access Control
203
ACI Placement
If an entry containing an ACI does not have any child entries, the ACI applies to
that entry only. If the entry has child entries, the ACI applies to the entry itself and
all entries below it. As a direct consequence, when the server evaluates access
permissions to any given entry, it verifies the ACIs for every entry between the one
requested and the directory suffix, as well as the ACIs on the entry itself.
The
aci
attribute is multi-valued, which means that you can define several ACIs
for the same entry or subtree.
You can create an ACI on an entry that does not apply directly to that entry but to
some or all of the entries in the subtree below it. The advantage of this is that you
can place at a high level in the directory tree a general ACI that effectively applies
to entries more likely to be located lower in the tree. For example, at the level of an
organizationalUnit
entry or a
locality
entry, you could create an ACI that
targets entries that include the
inetorgperson
object class.
You can use this feature to minimize the number of ACIs in the directory tree by
placing general rules at high level branch points. To limit the scope of more specific
rules, you should place them as close as possible to leaf entries.
ACI Evaluation
To evaluate the access rights to a particular entry, the server compiles a list of the
ACIs present on the entry itself and on the parent entries back up to the top level
entry stored on the Directory Server. ACIs are evaluated across all of the databases
for a particular Directory Server but not across Directory Servers.
The evaluation of this list of ACIs is done based on the semantics of the ACIs, not
on their placement in the directory tree. This means that ACIs that are close to the
root of the directory tree do not take precedence over ACIs that are closer to the
leaves of the directory tree.
The precedence rule that applies is that ACIs that deny access take precedence over
ACIs that allow access. Between ACIs that allow access, union semantics apply, so
there is no precedence.
NOTE
ACIs placed in the root DSE entry apply only to that entry.
Summary of Contents for DIRECTORY SERVER 7.1
Page 1: ...Administrator s Guide Red Hat Directory Server Version7 1 May 2005 Updated February 2009 ...
Page 20: ...20 Red Hat Directory Server Administrator s Guide May 2005 Glossary 619 Index 635 ...
Page 22: ...22 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 26: ...26 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 78: ...Maintaining Referential Integrity 78 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 200: ...Assigning Class of Service 200 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 488: ...488 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 528: ...PTA Plug in Syntax Examples 528 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 572: ...572 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 612: ...Examples of LDAP URLs 612 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 634: ...634 Red Hat Directory Server Administrator s Guide May 2005 ...