Chapter 6. Managing Access Control
194
6.9.6. Granting Conditional Access to a Group or Role
In many cases, when you grant a group or role privileged access to the directory, you want to
ensure that those privileges are protected from intruders trying to impersonate your privileged users.
Therefore, in many cases, access control rules that grant critical access to a group or role are often
associated with a number of conditions.
example.com
has created a directory administrator role for each of its hosted companies,
HostedCompany1
and
HostedCompany2
. It wants these companies to be able to manage their
own data and implement their own access control rules while securing it against intruders. For this
reason,
HostedCompany1
and
HostedCompany2
have full rights on their respective branches of the
directory tree, provided the following conditions are fulfilled:
• Connection authenticated using SSL
• Access requested between 8 a.m. and 6 p.m., Monday through Thursday
• Access requested from a specified IP address for each company
These conditions are illustrated in a single ACI for each company,
HostedCompany1
and
HostedCompany2
. Because the content of these ACIs is the same, the examples below illustrate the
HostedCompany1
ACI only.
6.9.6.1. ACI "HostedCompany1"
In LDIF, to grant
HostedCompany1
full access to their own branch of the directory under the
conditions stated above, write the following statement:
aci:(target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc=com")
(targetattr= "*") (version 3.0; acl "HostedCompany1";allow (all)
(roledn="ldap:///cn=DirectoryAdmin,ou=HostedCompany1,
ou=corporate-clients, dc=example,dc=com") and
(authmethod="ssl") and (dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and
timeofday <= "1800") and (ip="255.255.123.234"); )
This example assumes that the ACI is added to the
ou=HostedCompany1, ou=corporate-
clients,dc=example,dc=com
entry.
From the Console, set this permission by doing the following:
1. In the
Directory
tab, right-click the
HostedCompany1
entry under the
example.com
node in the
left navigation tree, and choose
Set Access Permissions
from the pop-up menu to display the
Access Control Manager
.
2. Click
New
to display the
Access Control Editor
.
3. In the
Users/Groups
tab, type
HostedCompany1
in the
ACI name
field. In the list of users
granted access permission, do the following:
a. Select and remove
All Users
, then click
Add
.
The
Add Users and Groups
dialog box opens.
b. Set the
Search
area to
Users and Groups
, and type
DirectoryAdmin
in the
Search For
field.
Содержание DIRECTORY SERVER 8.0
Страница 18: ...xviii ...
Страница 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Страница 30: ...12 ...
Страница 112: ...94 ...
Страница 128: ...110 ...
Страница 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Страница 224: ...206 ...
Страница 324: ...306 ...
Страница 334: ...316 ...
Страница 358: ...340 ...
Страница 410: ...392 ...
Страница 420: ...402 ...
Страница 444: ...426 ...
Страница 454: ...436 ...
Страница 464: ...446 ...
Страница 484: ...466 ...
Страница 512: ...494 ...
Страница 522: ...504 ...