Chapter 6. Managing Access Control
204
2.
[$dn]
in the subject is replaces with
dc=subdomain1,dc=hostedCompany1
.
The result is
groupdn="ldap:///cn=DomainAdmins,ou=Groups,
dc=subdomain1,dc=hostedCompany1,dc=example,dc=com"
. If the bind DN is a member of
that group, the matching process stops, and the ACI is evaluated. If it does not match, the process
continues.
3.
[$dn]
in the subject is replaced with
dc=hostedCompany1
.
The result is
groupdn="ldap:///cn=DomainAdmins,ou=Groups,
dc=hostedCompany1,dc=example,dc=com"
. In this case, if the bind DN is not a member of
that group, the ACI is not evaluated. If it is a member, the ACI is evaluated.
The advantage of the
[$dn]
macro is that it provides a flexible way of granting access to domain-
level administrators to
all
the subdomains in the directory tree. Therefore, it is useful for expressing a
hierarchical relationship between domains.
For example, consider the following ACI:
aci: (target="ldap:///ou=*, ($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)
It grants access to the members of
cn=DomainAdmins,ou=Groups,
dc=hostedCompany1,dc=example,dc=com
to all of the subdomains under
dc=hostedCompany1
, so an administrator belonging to that group could access a subtree like
ou=people, dc=subdomain1.1, dc=subdomain1
.
However, at the same time, members of
cn=DomainAdmins,ou=Groups,
dc=subdomain1.1
would be denied access to the
ou=people,dc=hostedCompany1
and
ou=people,dc=hostedCompany1
nodes.
6.10.2.3. Macro Matching for ($attr.attrName)
The
($attr.
attrName
)
macro is always used in the subject part of a DN. For example, define the
following
roledn
:
roledn = "ldap:///cn=DomainAdmins,($attr.ou)"
Now, assume the server receives an LDAP operation targeted at the following entry:
dn: cn=Jane Doe, ou=People, dc=HostedCompany1, dc=example,dc=com
cn: Jane Doe
sn: Doe
ou: Engineering, dc=HostedCompany1, dc=example,dc=com
...
In order to evaluate the
roledn
part of the ACI, the server looks at the
ou
attribute stored in the
targeted entry and uses the value of this attribute to expand the macro. Therefore, in the example, the
roledn
is expanded as follows:
roledn = "ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,dc=example,dc=com"
Содержание DIRECTORY SERVER 8.0
Страница 18: ...xviii ...
Страница 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Страница 30: ...12 ...
Страница 112: ...94 ...
Страница 128: ...110 ...
Страница 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Страница 224: ...206 ...
Страница 324: ...306 ...
Страница 334: ...316 ...
Страница 358: ...340 ...
Страница 410: ...392 ...
Страница 420: ...402 ...
Страница 444: ...426 ...
Страница 454: ...436 ...
Страница 464: ...446 ...
Страница 484: ...466 ...
Страница 512: ...494 ...
Страница 522: ...504 ...