HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

231

232

233

234

235

236

237

238

239

240

have an entry on the server, too. If the group is static, the members' entries can be located

on remote servers.

◦ ACIs that depend on role definitions (roledn keyword) must be located on the same

server as the role definition entry. Every entry that is intended to have the role must also

be located on the same server.

However, you can match values stored in the target entry with values stored in the entry of

the bind user; for example, using the userattr keyword. Access is evaluated normally even

if the bind user does not have an entry on the server that holds the ACI.

For more information on how to chain access control evaluation, see “Database links and

access control evaluation” (page 71).

• Attributes generated by class of service (CoS) cannot be used in all ACI keywords. Specifically,

you should not use attributes generated by CoS with the following keywords:

◦ targetfilter (“Targeting entries or attributes using LDAP filters” (page 238))

◦ targattrfilters (“Targeting attributes” (page 237))

◦ userattr (“Using the userattr keyword” (page 248))

If you create target filters or bind rules that depend on the value of attributes generated by

CoS, the access control rule will not work. For more information on CoS, see “Organizing

Entries with roles, Class of service, and Views” (page 166).

• Access control rules are always evaluated on the local server. Therefore, it is not necessary

to specify the host name or port number of the server in LDAP URLs used in ACI keywords. If

you do, the LDAP URL is not taken into account at all. For more information on LDAP URLs,

see “LDAP URLs” (page 570).

6.2 Default ACIs

When the Administration Server is set up, the following default ACIs apply to the directory

information stored in the userRoot database:

• Users can modify a list of common attributes in their own entries, including the mail,

telephoneNumber, userPassword, and seeAlso attributes. Operational and most of

the security attributes, such as aci, nsroledn, and passwordExpirationTime, cannot

be modified by users.

• Users have anonymous access to the directory for search, compare, and read operations.

• The administrator (by default uid=admin,ou=Administrators,

ou=TopologyManagement,o=NetscapeRoot) has all rights except proxy rights.

• All members of the Configuration Administrators group have all rights except proxy

rights.

• All members of the Directory Administrators group have all rights except proxy rights.

• Server Instance Entry (SIE) group.

The NetscapeRoot subtree has its own set of default ACIs:

• All members of the Configuration Administrators group have all rights on the

NetscapeRoot subtree except proxy rights.

• Users have anonymous access to the NetscapeRoot subtree for search and read operations.

• All authenticated users have search, compare, and read rights to configuration attributes that

identify the Administration Server.

• Group expansion.

The following sections explain how to modify these default settings.

234 Managing Access Control