HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
authentication, time and date restrictions, and specified location (“Granting conditional access
to a group or role” (page 279)).
• Deny individual subscribers access to the billing information in their own entries (“Denying
access” (page 281)).
• Grant anonymous access to the world to the individual subscribers subtree, except for
subscribers who have specifically requested to be unlisted. (This part of the directory could
be a consumer server outside of the firewall and be updated once a day.) For more information,
see “Granting anonymous access” (page 273) and “Setting a target using filtering” (page 282).
6.9.1 Granting anonymous access
Most directories are run such that you can anonymously access at least one suffix for read, search,
or compare. For example, you might want to set these permissions if you are running a corporate
personnel directory that you want employees to be able to search, such as a phonebook. This is
the case at example.com internally and is illustrated in “ACI "Anonymous example.com"” (page
273).
As an ISP, example.com also wants to advertise the contact information of all its subscribers by
creating a public phonebook accessible to the world. This is illustrated in “ACI "Anonymous
World"” (page 273).
6.9.1.1 ACI "Anonymous example.com"
In LDIF, to grant read, search, and compare permissions to the entire example.com tree to
example.com employees, write the following statement:
aci: (targetattr !="userPassword")(version 3.0; acl "Anonymous
Example"; allow (read, search, compare) userdn= "ldap:///anyone"
and dns="*.example.com";)
This example assumes that the aci attribute is added to the dc=example,dc=com entry. The
userPassword attribute is excluded from the scope of the ACI.
From the Console, set this permission by doing the following:
1. In the Directory tab, right-click the example.comnode in the left navigation tree, and choose
Set Access Permissionsfrom the pop-up menu to display the Access Control Manager.
2. Click New to display the Access Control Editor.
3. In the Users/Groups tab in the ACI namefield, type Anonymous example.com. Check that
All Users opens in the list of users granted access permission.
4. In the Rights tab, select the checkboxes for read, compare, and search rights. Make sure
the other checkboxes are clear.
5. In the Targets tab, click This Entry to display thedc=example,dc=com suffix in the Target
directory entry field. In the attribute table, locate the userPassword attribute, and clear the
corresponding checkbox.
All other checkboxes should be selected. This task is made easier if you click the Nameheader
to organize the list of attributes alphabetically.
6. In the Hosts tab, click Add, and in the DNS host filter field, type *.example.com. Click OK
to dismiss the dialog box.
7. Click OK in the Access Control Editor window.
The new ACI is added to the ones listed in the Access Control Manager window.
6.9.1.2 ACI "Anonymous World"
In LDIF, to grant read and search access of the individual subscribers subtree to the world, while
denying access to information on unlisted subscribers, write the following statement:
aci: (targetfilter= "(!(unlistedSubscriber=yes))")
(targetattr="homePostalAddress || homePhone || mail") (version
3.0; acl "Anonymous World"; allow (read, search) userdn="ldap:///anyone";)
6.9 Access control usage examples 273