HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

241

242

243

244

245

246

247

248

249

250

userdn =ldap:///self" Defines self access

userdn =ldap:///parent" Defines access for the parent entry

The userdn keyword can also be expressed as an LDAP filter:

ldap:///suffix??scope?(filter)

NOTE:

If a DN contains a comma, the comma must be preceded by a backslash (\) escape character.

6.4.2.1 Anonymous access (anyone keyword)

Granting anonymous access to the directory means that anyone can access it without providing

a bind DN or password and regardless of the circumstances of the bind. You can limit anonymous

access to specific types of access (for example, read or search access) or to specific subtrees or

individual entries within the directory.

From the Directory Server Console, you define anonymous access through the Access Control Editor.

See “Creating ACIs from the console” (page 254).

6.4.2.2 General access (all keyword)

You can use bind rules to indicate that a permission applies to anyone who has successfully bound

to the directory; that is, all authenticated users. This allows general access while preventing

anonymous access.

From the Directory Server Console, you define general access on the Access Control Editor. For

more information, see “Creating ACIs from the console” (page 254).

6.4.2.3 Self access (self keyword)

Specifies that users are granted or denied access to their own entries. In this case, access is granted

or denied if the bind DN matches the DN of the targeted entry.

From the Directory Server Console, you set up self access on the Access Control Editor. For more

information, see “Creating ACIs from the console” (page 254).

6.4.2.4 Parent access (parent keyword)

Specifies that users are granted or denied access to the entry only if their bind DN is the parent

of the targeted entry.

You cannot set up parent access control using the Directory Server Console.

6.4.2.5 LDAP URLs

You can dynamically target users in ACIs using a URL with an LDAP filter:

userdn = "ldap:///suffix??scope?(filter)"

For example, all users in the accounting and engineering branches of the example.com tree

would be granted or denied access to the targeted resource dynamically based on the following

URL:

userdn = "ldap:///dc=example,dc=com??sub?(|(ou=engineering)(ou=accounting))"

NOTE:

Do not specify a host name or port number within the LDAP URL. LDAP URLs always apply to the

local server.

It is possible to string multiple LDAP URLs together so that the bind user must match both filter A

and filter B. This is done by using multiple userdn keyword definitions. For example:

userdn="ldap:///dc=example,dc=com??sub?(ou=engineering)" and

userdn="ldap:///dc=example,dc=com??sub?(manager="uid=bjensen,ou=managers,

dc=example,dc=com")"

244 Managing Access Control