HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
NOTE:
Although using LDAP filters can be useful when you are targeting entries and attributes that are
spread across the directory, the results are sometimes unpredictable because filters do not directly
name the object for which you are managing access. The set of entries targeted by a filtered ACI
is likely to change as attributes are added or deleted. Therefore, if you use LDAP filters in ACIs,
you should verify that they target the correct entries and attributes by using the same filter in an
ldapsearch operation.
6.3.2.5 Targeting attribute values using LDAP filters
You can use access control to target specific attribute values. This means that you can grant or
deny permissions on an attribute if that attribute's value meets the criteria defined in the ACI. An
ACI that grants or denies access based on an attribute's value is called a value-based ACI.
For example, you might grant all users in your organization permission to modify the nsroledn
attribute in their own entry. However, you would also want to ensure that they do not give themselves
certain key roles, such as Top Level Administrator. LDAP filters are used to check that the
conditions on attribute values are satisfied.
To create a value-based ACI, you must use the targattrfilters keyword with the following
syntax:
(targattrfilters="add=attr1:F1 && attr2:F2... && attrn:Fn,
del=attr1:F1 && attr2:F2 ... && attrn:Fn")
• add represents the operation of creating an attribute.
• del represents the operation of deleting an attribute.
• attrx represents the target attributes.
• Fx represents filters that apply only to the associated attribute.
When creating an entry, if a filter applies to an attribute in the new entry, then each instance of
that attribute must satisfy the filter. When deleting an entry, if a filter applies to an attribute in the
entry, then each instance of that attribute must also satisfy the filter.
When modifying an entry, if the operation adds an attribute, then the add filter that applies to that
attribute must be satisfied; if the operation deletes an attribute, then the delete filter that applies to
that attribute must be satisfied. If individual values of an attribute already present in the entry are
replaced, then both the add and delete filters must be satisfied.
For example, consider the following attribute filter:
(targattrfilters="add=nsroledn:(!(nsroledn=cn=superAdmin)) && telephoneNumber:(telephoneNumber=123*)")
This filter can be used to allow users to add any role (nsroledn attribute) to their own entry,
except the superAdmin role. It also allows users to add a telephone number with a 123 prefix.
NOTE:
You cannot create value-based ACIs from the Directory Server Console.
6.3.2.6 Targeting a single directory entry
Targeting a single directory entry is not straightforward because it goes against the design
philosophy of the access control mechanism. However, it can be done in either of two ways:
• By creating a bind rule that matches user input in the bind request with an attribute value
stored in the targeted entry. For more details, see “Defining access based on value
matching” (page 247).
• By using the targetattr and targetfilter keywords.
You can use the targetattr keyword to specify an attribute that is only present in the entry you
want to target, and not in any of the entries below your target. For example, if you want to target
6.3 Creating ACIs manually 239