Defining Access Based on Value Matching
165
Figure 6.1. Using Inheritance With the userattr Keyword
In this example, if you did not use inheritance, you would have to do one of the following to achieve
the same result:
• Explicitly set read and search access for user
bjensen
on the
cn=Profiles
,
cn=mail
, and
cn=news
entries in the directory.
• Add the owner attribute with a value of
bjensen
to the
cn=mail
and
cn=news
entries, and then
add the following ACI to the
cn=mail
and
cn=news
entries.
aci: (targetattr="*") (version 3.0; acl "profiles access"; allow (read,search)
userattr="owner#USERDN";)
6.4.5.1.7. Granting Add Permission Using the userattr Keyword
Using the
userattr
keyword in conjunction with
all
or
add
permissions does not behave as
one would typically expect. Typically, when a new entry is created in the directory, Directory Server
evaluates access rights on the entry being created and not on the parent entry. However, in the case
of ACIs using the
userattr
keyword, this behavior could create a security hole, and the server's
normal behavior is modified to avoid it.
Consider the following example:
aci: (target="ldap:///dc=example,dc=com")(targetattr=*) (version 3.0;
Summary of Contents for DIRECTORY SERVER 8.0
Page 18: ...xviii ...
Page 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Page 30: ...12 ...
Page 112: ...94 ...
Page 128: ...110 ...
Page 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Page 224: ...206 ...
Page 324: ...306 ...
Page 334: ...316 ...
Page 358: ...340 ...
Page 410: ...392 ...
Page 420: ...402 ...
Page 444: ...426 ...
Page 454: ...436 ...
Page 464: ...446 ...
Page 484: ...466 ...
Page 512: ...494 ...
Page 522: ...504 ...