Chapter 13. Managing Access Control
13.1. Access Control Principles
- For the entire directory, a subtree of the directory, specific entries in the directory (including entries defining configuration tasks), or a specific set of entry attributes.
- For a specific user, all users belonging to a specific group or role, or all users of the directory.
- For a specific location such as an IP address or a DNS name.
13.1.1. ACI Structure
aciattribute is an operational attribute; it is available for use on every entry in the directory, regardless of whether it is defined for the object class of the entry. It is used by the Directory Server to evaluate what rights are granted or denied when it receives an LDAP request from a client. The
aciattribute is returned in an
ldapsearchoperation if specifically requested.
- Bind Rule
13.1.2. ACI Placement
aciattribute is multi-valued, which means that you can define several ACIs for the same entry or subtree.
inetorgpersonobject class can be created at the level of an
organizationalUnitentry or a
13.1.3. ACI Evaluation
13.1.4. ACI Limitations
- If your directory tree is distributed over several servers using the chaining feature, some restrictions apply to the keywords you can use in access control statements:
However, you can match values stored in the target entry with values stored in the entry of the bind user; for example, using the
- ACIs that depend on group entries (
groupdnkeyword) must be located on the same server as the group entry. If the group is dynamic, then all members of the group must have an entry on the server, too. If the group is static, the members' entries can be located on remote servers.
- ACIs that depend on role definitions (
rolednkeyword) must be located on the same server as the role definition entry. Every entry that is intended to have the role must also be located on the same server.
userattrkeyword. Access is evaluated normally even if the bind user does not have an entry on the server that holds the ACI.For more information on how to chain access control evaluation, see Section 2.3.6, “Database Links and Access Control Evaluation”.
- Attributes generated by class of service (CoS) cannot be used in all ACI keywords. Specifically, you should not use attributes generated by CoS with the following keywords:
If you create target filters or bind rules that depend on the value of attributes generated by CoS, the access control rule will not work. For more information on CoS, see Chapter 6, Organizing and Grouping Entries.
- targetattrfilters (Section 126.96.36.199, “Targeting Attributes”)
- Access control rules are always evaluated on the local server. Therefore, it is not necessary to specify the host name or port number of the server in LDAP URLs used in ACI keywords. If you do, the LDAP URL is not taken into account at all. For more information on LDAP URLs, see Appendix C, LDAP URLs.