HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

271

272

273

274

275

276

277

278

279

280

a. Select and remove All Users, then click Add.

The Add Users and Groups dialog box opens.

b. Set the Search area to Special Rights, and select Self from the search results list.

c. Click the Add button to list Self in the list of users who are granted access permission.

d. Click OK to dismiss the Add Users and Groups dialog box.

4. In the Rights tab, select the checkbox for write. Make sure the other checkboxes are clear.

5. In the Targets tab, click This Entry to display the ou=subscribers, dc=example,dc=com

suffix in the Target directory entry field.

a. In the Filter for subentries field, type the following filter:

(!(unlistedSubscriber=yes))

b. In the attribute table, select the checkboxes for the homePhone, homePostalAddress,

and mail attributes.

All other checkboxes should be clear; if necessary, click the Check None button to clear

the checkboxes for all attributes in the table, then click the Name header to organize

them alphabetically, and select the appropriate ones.

c. Optionally, to require users to authenticate using SSL, switch to manual editing by clicking

the Edit Manually button, and add authmethod=ssl to the LDIF statement so that it

reads as follows:

(targetattr="homePostalAddress || homePhone || mail")

(version 3.0; acl "Write Subscribers"; allow (write)

(userdn= "ldap:///self") and authmethod="ssl";)

6. Click OK.

The new ACI is added to the ones listed in the Access Control Manager window.

6.9.3 Restricting access to key roles

You can use role definitions in the directory to identify functions that are critical to your business,

the administration of your network and directory, or another purpose.

For example, you might create a superAdmin role by identifying a subset of your system

administrators that are available at a particular time of day and day of the week at corporate sites

worldwide, or you might want to create a First Aid role that includes all members of staff on

a particular site that have done first aid training. For information on creating role definitions, see

“Using roles” (page 166).

When a role gives any sort of privileged user rights over critical corporate or business functions,

consider restricting access to that role. For example, at example.com, employees can add any

role to their own entry except the superAdmin role. This is illustrated in “ACI "Roles"” (page 276).

6.9.3.1 ACI "Roles"

In LDIF, to grant example.com employees the right to add any role to their own entry except the

superAdmin role, write the following statement:

aci: (targetattr = "nsroledn")

(targattrfilters="add=nsroledn:(nsroledn !=

"cn=superAdmin,dc=example,dc=com")") (version 3.0; acl "Roles";

allow (write) userdn= "ldap:///self" and dns="*.example.com";)

This example assumes that the ACI is added to the ou=example-people,dc=example,dc=com

entry.

From the Console, set this permission by doing the following:

276 Managing Access Control