Chapter 6. Managing Access Control
166
acl "manager-write"; allow (all) userattr = "manager#USERDN";)
This ACI grants managers all rights on the entries of employees that report to them. However,
because access rights are evaluated on the entry being created, this type of ACI would also allow
any employee to create an entry in which the manager attribute is set to their own DN. For example,
disgruntled employee Joe (
cn=Joe,ou=eng,dc=example,dc=com
) might want to create an entry
in the Human Resources branch of the tree to use (or misuse) the privileges granted to Human
Resources employees.
He could do this by creating the following entry:
dn: cn= Trojan Horse,ou=Human Resources,dc=example,dc=com
objectclass: top
...
cn: Trojan Horse
manager: cn=Joe,ou=eng,dc=example,dc=com
To avoid this type of security threat, the ACI evaluation process does not grant add permission at level
0, to the entry itself. You can, however, use the
parent
keyword to grant add rights below existing
entries. You must specify the number of levels below the parent for add rights. For example, the
following ACI allows child entries to be added to any entry in the
dc=example,dc=com
that has a
manager
attribute that matches the bind DN:
aci: (target="ldap:///dc=example,dc=com")(targetattr=*)
(version 3.0; acl "parent-access"; allow (add)
userattr = "parent[0,1].manager#USERDN";)
This ACI ensures that add permission is granted only to users whose bind DN matches the manager
attribute of the parent entry.
6.4.6. Defining Access from a Specific IP Address
Using bind rules, you can indicate that the bind operation must originate from a specific IP address.
This is often used to force all directory updates to occur from a given machine or network domain.
The LDIF syntax for setting a bind rule based on an IP address is as follows:
ip = "
IP_address
" or ip != "
IP_address
"
The IP address must be expressed in dot notation. You can use the wildcard character (*) to include
multiple machines. For example, the following string is valid:
ip = "12.123.1.*";
The bind rule is evaluated to be true if the client accessing the directory is located at the named IP
address. This can be useful for allowing certain kinds of directory access only from a specific subnet or
machine.
For example, use a wildcard IP address such as
12.3.45.*
to specify a specific subnetwork or
123.45.6.*+255.255.255.115
to specify a subnetwork mask.
From the Directory Server Console, you can define specific machines to which the ACI applies through
the
Access Control Editor
. For more information, see
Section 6.5, “Creating ACIs from the Console”
.
Summary of Contents for DIRECTORY SERVER 8.0
Page 18: ...xviii ...
Page 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Page 30: ...12 ...
Page 112: ...94 ...
Page 128: ...110 ...
Page 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Page 224: ...206 ...
Page 324: ...306 ...
Page 334: ...316 ...
Page 358: ...340 ...
Page 410: ...392 ...
Page 420: ...402 ...
Page 444: ...426 ...
Page 454: ...436 ...
Page 464: ...446 ...
Page 484: ...466 ...
Page 512: ...494 ...
Page 522: ...504 ...