Chapter 6. Managing Access Control
148
ou=accounting,dc=example,dc=com
, the permissions you set apply to all entries in the
accounting branch of the
example.com
tree.
As a counter example, if you place an ACI on the
ou=accounting,dc=example,dc=com
entry, you
cannot target the
uid=sarette,ou=people,dc=example,dc=com
entry because it is not located
under the accounting tree.
Be wary of using
!=
when specifying an attribute to deny. ACLs are treated as a logical OR, which
means that if you created two ACLs as shown below, the result allows all values of the target attribute.
acl1: ( target=...)( targetattr!=a )(version 3.0; acl "name";allow (...)..
acl2: ( target=...)( targetattr!=b )(version 3.0; acl "name";allow (...)..
The first ACL (
acl1
) allows
b
and the second ACL (
acl2
) allows
a
. The result of these two ACLs is
the same as the one resulting from using an ACL of the following form:
acl3: ( targetattr="*" ) allow (...) ...
In the second example, nothing is denied, which could give rise to security problems.
When you want to deny access to a particular attribute, use
deny
in the permissions clause rather
than using
allow
with
( targetattr != value )
. For example, usages such as these are
recommended:
acl1: ( target=...)( targetattr=a )(version 3.0; acl "name";deny (...)..
acl2: ( target=...)( targetattr=b )(version 3.0; acl "name";deny (...)..
6.3.2.1. Targeting a Directory Entry
To target a directory entry (and the entries below it), you must use the
target
keyword. The
target
keyword can accept a value of the following format:
target="ldap:///
distinguished_name
This identifies the distinguished name of the entry to which the access control rule applies. For
example:
(target = "ldap:///uid=bjensen,dc=example,dc=com")
NOTE
If the DN of the entry to which the access control rule applies contains a comma,
escape the comma with a single backslash (
\
), such as
(target="ldap:///
uid=lfuentes,dc=example.com Bolivia\,S.A.")
.
Wildcards can be used when targeting a distinguished name using the
target
keyword. The wildcard
indicates that any character or string or substring is a match for the wildcard. Pattern matching is
based on any other strings that have been specified with the wildcard.
The following are legal examples of wildcard usage:
Summary of Contents for DIRECTORY SERVER 8.0
Page 18: ...xviii ...
Page 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Page 30: ...12 ...
Page 112: ...94 ...
Page 128: ...110 ...
Page 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Page 224: ...206 ...
Page 324: ...306 ...
Page 334: ...316 ...
Page 358: ...340 ...
Page 410: ...392 ...
Page 420: ...402 ...
Page 444: ...426 ...
Page 454: ...436 ...
Page 464: ...446 ...
Page 484: ...466 ...
Page 512: ...494 ...
Page 522: ...504 ...