HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

181

182

183

184

185

186

187

188

189

190

Table 20 Object classes and attributes for roles (continued)

AttributesObject classesRole type

Description (optional)nsNestedRoleDefinition

The attributes nsRole and nsRoleDN are operational attributes. This means that they are not

present in the schema of the entry and may be added to any entry, regardless of schema. This

also means that these attributes must be explicitly requested in the search attributes list in search

requests. For example, this ldapsearch command lists all the roles (values of nsRole), all the

managed roles (values of nsRoleDN), and all the regular attributes in the entry matched by

uid=scarter.

ldapsearch ... args ... “(uid=scarter)” \* nsRole nsRoleDN

Similarly for the role definition entries, they are operational entries and are not returned by default

with regular searches. This means that if roles are defined under the

ou=People,dc=example,dc=com subtree, for example, the following ldapsearch command

will not return the role definitions for any entry:

ldapsearch -s sub -b ou=People,dc=example,dc=com “(objectclass=*)”

To see the role definitions entries, use the special search filter "(objectclass=ldapSubEntry)"

with ldapsearch. The special filter can be added to any other search filter, using OR (|):

ldapsearch -s sub -b ou=People,dc=example,dc=com “(|(objectclass=*)(objectclass=ldapSubEntry))”

This search shows all regular entries in addition to role definition entries in the

ou=People,dc=example,dc=com subtree. The Console automatically shows all the role entries.

NOTE:

In some cases, the value of the nsRoleDNattribute must be protected with an ACI, as the

attribute is writable. For more information about security and roles, see“Using roles securely” (page

187).

5.1.3.1 Examples: managed role definition

This example creates a role that can be assigned to the marketing department.

1. Use ldapmodify to add the managed role entry, containing the

nsManagedRoleDefinition object class, which in turn inherits from the LdapSubEntry,

nsRoleDefinition, and nsSimpleRoleDefinition object classes.:

ldapmodify -D "cn=Directory Manager" -w secret -h host -p 389

dn: cn=Marketing,ou=people,dc=example,dc=com

objectclass: top

objectclass: LdapSubEntry

objectclass: nsRoleDefinition

objectclass: nsSimpleRoleDefinition

objectclass: nsManagedRoleDefinition

cn: Marketing

description: managed role for marketing staff

2. Assign the role to a marketing staff member named Bob, using ldapmodify:

ldapmodify -D "cn=Directory Manager" -w secret -h host -p 389

dn: cn=Bob,ou=people,dc=example,dc=com

changetype: modify

add: nsRoleDN

nsRoleDN: cn=Marketing,ou=people,dc=example,dc=com

The nsRoleDN attribute in the entry indicates that the entry is a member of a managed role,

cn=Marketing,ou=people,dc=example,dc=com.

5.1 Using roles 185