HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

251

252

253

254

255

256

257

258

259

260

authmethod = "ssl";

• The bind rule is evaluated to be true if the client is accessing the directory using the SASL

DIGEST-MD5 mechanism.

authmethod = "sasl DIGEST-MD5";

6.4.10 Using Boolean bind rules

Bind rules can be complex expressions that use the Boolean expressions AND, OR, and NOT to set

very precise access rules. You cannot use the Directory Server Console to create Boolean bind

rules. You must create an LDIF statement.

The LDIF syntax for a Boolean bind rule is as follows:

bind_rule [boolean][bind_rule][boolean][bind_rule]...;)

For example, this bind rule is evaluated to be true if the bind DN is a member of either the

administrator's group or the Mail Administrator's group and if the client is running from

within the example.com domain:

(groupdn = "ldap:///cn=administrators,dc=example,dc=com" or

groupdn = "ldap:///cn=mail administrators,dc=example,dc=com" and

dns = "*.example.com";)

The trailing semicolon (;) is a required delimiter that must appear after the final bind rule.

Boolean expressions are evaluated in the following order:

• Innermost to outermost parenthetical expressions first.

• All expressions from left to right.

• NOT before AND or OR operators.

• OR and AND operators have no order of precedence.

Consider the following Boolean bind rules:

(bind_rule_A) OR (bind_rule_B)

(bind_rule_B) OR (bind_rule_A)

Because Boolean expressions are evaluated from left to right, in the first case, bind rule A is

evaluated before bind rule B, and, in the second case, bind rule B is evaluated before bind rule

However, the Boolean NOT is evaluated before the Boolean OR and Boolean AND. Thus, in the

following example, bind rule B is evaluated before bind rule A despite the left-to-right rule.

(bind_rule_A) AND NOT (bind_rule_B)

6.5 Creating ACIs from the console

You can use the Directory Server Console to view, create, edit, and delete access control instructions

for your directory:

• “Displaying the Access Control Editor” (page 255)

• “Creating a new ACI” (page 256)

• “Editing an ACI” (page 261)

• “Deleting an ACI” (page 261)

See “Access control usage examples” (page 272) for a collection of access control rules commonly

used in Directory Server security policies, along with step-by-step instructions for using the Directory

Server Console to create them.

254 Managing Access Control