HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

241

242

243

244

245

246

247

248

249

250

However, it is not permissible to use ampersands (&) as part of the expressions, such as groupdn

= "LDAPURI0 && LDAPURL1", or double quotes, such as userdn = "ldap:///cn=Ralph

"the doc" Wellman".

For example, to use two groupdn keywords so that the bind user must belong to both an

Administrators group and a Managers group:

groupdn="ldap:///dc=example,dc=com??sub?(cn=*Administrators)" and group\

dn="ldap:///dc=example,dc=com??sub?(cn=*Managers)"

For more information about LDAP URLs, see “LDAP URLs” (page 570).

The Directory Server Console defines specific groups through the Access Control Editor. For more

information, see “Creating ACIs from the console” (page 254).

Table 27 groupdn examples

DescriptionExampleScenario

The bind rule is evaluated to be true if the bind

DN belongs to the Administrators group. If you

groupdn =

"ldap:///cn=Administrators,dc=example,dc=com";

Groupdn

keyword

containing an

LDAP URL

wanted to grant the Administrators group

permission to write to the entire directory tree,

you would create the following ACI on the

dc=example,dc=com node:

aci: (targetattr=*)(version 3.0; acl

"Administrators-write"; allow

(write)

groupdn="ldap:///cn=Administrators,dc=example,dc=com";)

The bind rule is evaluated to be true if the bind

DN belongs to any of the groups which are

returned, meaning they match the filter.

groupdn =

"ldap:///dc=example,dc=com??sub?(cn=*Administrators)";

Groupdn

keyword

containing an

LDAP URL with a

filter

The bind rule is evaluated to be true if the bind

DN belongs to either the Administrators or

the Mail Administrators group.

groupdn =

"ldap:///cn=Administrators,dc=example,dc=com"

|| "ldap:///cn=Mail

Administrators,dc=example,dc=com";

Groupdn

keyword

containing logical

OR of LDAP URLs

6.4.4 Defining role access - roledn keyword

Members of a specific role can access a targeted resource. This is known as role access. Role

access is defined using the roledn keyword to specify that access to a targeted entry is granted

or denied if the user binds using a DN that belongs to a specific role.

The roledn keyword requires one or more valid distinguished names in the following format:

roledn = "ldap:///dn [|| ldap:///dn]... [|| ldap:///dn]"

The bind rule is evaluated to be true if the bind DN belongs to the specified role.

NOTE:

If a DN contains a comma, the comma must be escaped by a backslash (\).

The roledn keyword has the same syntax and is used in the same way as the groupdn keyword,

with the exception of the LDAP filter, which is not implemented for role membership.

6.4.5 Defining access based on value matching

You can set bind rules to specify that an attribute value of the entry used to bind to the directory

must match an attribute value of the targeted entry.

For example, you can specify that the bind DN must match the DN in the manager attribute of a

user entry in order for the ACI to apply. In this case, only the user's manager would have access

to the entry.

6.4 Bind rules 247