HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

231

232

233

234

235

236

237

238

239

240

6.3 Creating ACIs manually

You can create access control instructions manually using LDIF statements and add them to your

directory tree using the ldapmodify utility, similar to the instructions in “LDIF Update

Statements” (page 120). The following sections explain in detail how to create the LDIF statements.

NOTE:

LDIF ACI statements can be very complex. However, if you are setting access control for a large

number of directory entries, using LDIF is the preferred because it is faster than using the Console.

To familiarize yourself with LDIF ACI statements, however, you may want to use the Directory Server

Console to set the ACI then click the Edit Manually button on the Access Control Editor. This shows

you the correct LDIF syntax. You can even copy the LDIF from the Access Control Editor and paste

it into your LDIF file.

6.3.1 The ACI syntax

The aci attribute uses the following syntax:

aci: (target)(version 3.0;acl "name";permissionbind_rules;)

• Where target specifies the entry, attributes, or set of entries and attributes for which to control

access. The target can be a distinguished name, one or more attributes, or a single LDAP

filter. The target is an optional part of the ACI.

• version 3.0 is a required string that identifies the ACI version.

• name is a name for the ACI. The name can be any string that identifies the ACI. The ACI name

is required.

• permission specifically outlines what rights are being allowed or denied; for example, read

or search rights.

• bind_rules specify the credentials and bind parameters that a user has to provide to be granted

access. Bind rules can also specifically deny access to certain users or groups of users.

You can have multiple permission-bind rule pairs for each target. This allows you to set multiple

access controls for a given target efficiently. For example:

target(permissionbind_rule)(permissionbind_rule)...

If you have several ACRs in one ACI statement, the syntax is in the following form:

aci: (target)(version 3.0;acl "name";permissionbind_rule; permissionbind_rule; ... permissionbind_rule;)

The following is an example of a complete LDIF ACI:

aci: (target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*)

(version 3.0;acl "aci1";allow (write) userdn="ldap:///self";)

In this example, the ACI states that the user bjensen has rights to modify all attributes in her own

directory entry.

6.3.2 Defining targets

The target identifies to what the ACI applies. If the target is not specified, the ACI applies to the

entry containing the aci attribute and to the entries below it. A target can be any of the following:

• A directory entry or all the entries in a subtree, as described in“Targeting a directory

entry” (page 236).

• Attributes of an entry, as described in “Targeting attributes” (page 237).

• A set of entries or attributes that match a specified LDAP filter, as described in“Targeting entries

or attributes using LDAP filters” (page 238).

• An attribute value, or a combination of values, that match a specified LDAP filter, as described

in “Targeting attribute values using LDAP filters” (page 239).

The general syntax for a target is as follows:

6.3 Creating ACIs manually 235