Chapter 6. Managing Access Control
144
The
aci
attribute is multi-valued, which means that you can define several ACIs for the same entry or
subtree.
An ACI created on an entry can be set so it does not apply directly to that entry but to some or all of
the entries in the subtree below it. The advantage of this is that general ACIs can be placed at a high
level in the directory tree that effectively apply to entries more likely to be located lower in the tree. For
example, an ACI that targets entries that include the
inetorgperson
object class can be created at
the level of an
organizationalUnit
entry or a
locality
entry.
Minimize the number of ACIs in the directory tree by placing general rules at high level branch points.
To limit the scope of more specific rules, place them as close as possible to leaf entries.
NOTE
ACIs placed in the root DSE entry apply only to that entry.
6.1.3. ACI Evaluation
To evaluate the access rights to a particular entry, the server compiles a list of the ACIs present on the
entry itself and on the parent entries back up to the top level entry stored on the Directory Server. ACIs
are evaluated across all of the databases for a particular Directory Server but not across all Directory
Server instances.
The evaluation of this list of ACIs is done based on the semantics of the ACIs, not on their placement
in the directory tree. This means that ACIs that are close to the root of the directory tree do not take
precedence over ACIs that are closer to the leaves of the directory tree.
For Directory Server ACIs, the
precedence rule
is that ACIs that deny access take precedence over
ACIs that allow access. Between ACIs that allow access, union semantics apply, so there is no
precedence.
For example, if you deny write permission at the directory's root level, then none of the users can write
to the directory, regardless of the specific permissions you grant them. To grant a specific user write
permissions to the directory, you have to restrict the scope of the original denial for write permission so
that it does not include the user.
6.1.4. ACI Limitations
When creating an access control policy for your directory service, you need to be aware of the
following restrictions:
• If your directory tree is distributed over several servers using the chaining feature, some restrictions
apply to the keywords you can use in access control statements:
• ACIs that depend on group entries (
groupdn
keyword) must be located on the same server as
the group entry. If the group is dynamic, then all members of the group must have an entry on the
server, too. If the group is static, the members' entries can be located on remote servers.
• ACIs that depend on role definitions (
roledn
keyword) must be located on the same server as
the role definition entry. Every entry that is intended to have the role must also be located on the
same server.
Summary of Contents for DIRECTORY SERVER 8.0
Page 18: ...xviii ...
Page 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Page 30: ...12 ...
Page 112: ...94 ...
Page 128: ...110 ...
Page 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Page 224: ...206 ...
Page 324: ...306 ...
Page 334: ...316 ...
Page 358: ...340 ...
Page 410: ...392 ...
Page 420: ...402 ...
Page 444: ...426 ...
Page 454: ...436 ...
Page 464: ...446 ...
Page 484: ...466 ...
Page 512: ...494 ...
Page 522: ...504 ...