HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

231

232

233

234

235

236

237

238

239

240

(keyword = "expression")

(keyword != "expression")

• keyword indicates the type of target.

• equal (=) indicates that the target is the object specified in the expression, and not equal

(!=) indicates the target is not the object specified in the expression.

• expression identifies the target.

The quotation marks ("") around expression are required. What you use for expression is

dependent upon the keyword that you supply.

Table 23 (page 236) lists each keyword and the associated expressions.

Table 23 LDIF target keywords

Wildcard allowedValid expressionsKeyword

Yesldap:///distinguished_nametarget

Yesattributetargetattr

YesLDAP_filtertargetfilter

YesLDAP_operation:LDAP_filtertargetattrfilters

In all cases, you must keep in mind that when you place an ACI on an entry, if it is not a leaf entry,

the ACI also applies to all entries below it. For example, if you target the entry

ou=accounting,dc=example,dc=com, the permissions you set apply to all entries in the

accounting branch of the example.com tree.

As a counter example, if you place an ACI on the ou=accounting,dc=example,dc=com

entry, you cannot target the uid=sarette,ou=people,dc=example,dc=com entry because

it is not located under the accounting tree.

Be wary of using != when specifying an attribute to deny. ACLs are treated as a logical OR, which

means that if you created two ACLs as shown below, the result allows all values of the target

attribute.

acl1: ( target=...)( targetattr!=a )(version 3.0; acl "name";allow (...)..

acl2: ( target=...)( targetattr!=b )(version 3.0; acl "name";allow (...)..

The first ACL (acl1) allows b and the second ACL (acl2) allows a. The result of these two ACLs

is the same as the one resulting from using an ACL of the following form:

acl3: ( targetattr="*" ) allow (...) ...

In the second example, nothing is denied, which could give rise to security problems.

When you want to deny access to a particular attribute, use deny in the permissions clause rather

than using allow with ( targetattr != value ). For example, usages such as these are

recommended:

acl1: ( target=...)( targetattr=a )(version 3.0; acl "name";deny (...)..

acl2: ( target=...)( targetattr=b )(version 3.0; acl "name";deny (...)..

6.3.2.1 Targeting a directory entry

To target a directory entry (and the entries below it), you must use the target keyword. The

target keyword can accept a value of the following format:

target="ldap:///distinguished_name

This identifies the distinguished name of the entry to which the access control rule applies. For

example:

(target = "ldap:///uid=bjensen,dc=example,dc=com")

236 Managing Access Control