Denying Access
195
This example assumes that you have created an administrators role with a
cn
of
DirectoryAdmin
.
c. Click the
Add
button to list the administrators role in the list of users who are granted access
permission.
d. Click
OK
to dismiss the
Add Users and Groups
dialog box.
4. In the
Rights
tab, click the
Check All
button.
5. In the
Targets
tab, click
This Entry
to display the
ou=HostedCompany1,ou=corporate-
clients,dc=example,dc=com
suffix in the
Target directory entry
field.
6. In the
Hosts
tab, click
Add
to display the
Add Host Filter
dialog box. In the
IP address host
filter
field, type
255.255.123.234
. Click
OK
.
The IP address must be a valid IP address for the host machine that the
HostedCompany1
administrators use to connect to the
example.com
directory.
7. In the
Times
tab, select the block time corresponding to Monday through Thursday and 8 a.m. to 6
p.m.
A message appears below the table that specifies the selected time block.
8. To enforce SSL authentication from
HostedCompany1
administrators, switch to manual editing by
clicking the
Edit Manually
button. Add the following to the end of the LDIF statement:
and (authmethod="ssl")
The LDIF statement should be similar to the following:
aci: (targetattr = "*") (target="ou=HostedCompany1,ou=corporate-
clients,dc=example,dc=com")
(version 3.0; acl "HostedCompany1"; allow (all) (roledn=
"ldap:///cn=DirectoryAdmin,ou=HostedCompany1,ou=corporate-clients,
dc=example,dc=com") and
(dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and timeofday <= "1800") and
(ip="255.255.123.234") and (authmethod="ssl"); )
9. Click
OK
.
The new ACI is added to the ones listed in the
Access Control Manager
window.
6.9.7. Denying Access
If your directory holds business-critical information, it may be necessary to specifically deny access to
it.
For example,
example.com
wants all subscribers to be able to read billing information such as
connection time or account balance under their own entries but explicitly wants to deny write access
to that information. This is illustrated in
Section 6.9.7.1, “ACI "Billing Info Read"”
and
Section 6.9.7.2,
“ACI "Billing Info Deny"”
, respectively.
Содержание DIRECTORY SERVER 8.0
Страница 18: ...xviii ...
Страница 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Страница 30: ...12 ...
Страница 112: ...94 ...
Страница 128: ...110 ...
Страница 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Страница 224: ...206 ...
Страница 324: ...306 ...
Страница 334: ...316 ...
Страница 358: ...340 ...
Страница 410: ...392 ...
Страница 420: ...402 ...
Страница 444: ...426 ...
Страница 454: ...436 ...
Страница 464: ...446 ...
Страница 484: ...466 ...
Страница 512: ...494 ...
Страница 522: ...504 ...