HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
5. In the Targets tab, type dc=example,dc=com suffix in the Target directory entry field. In the
attribute table, select the checkbox for the member attribute.
All other checkboxes should be clear; if it is easier, click the Check None button to clear the
checkboxes for all attributes in the table, then click the Name header to organize them
alphabetically, and select the appropriate ones.
6. Click OK.
The new ACI is added to the ones listed in the Access Control Manager window.
6.9.10 Defining permissions for DNs that contain a comma
DNs that contain commas require special treatment within your LDIF ACI statements. In the target
and bind rule portions of the ACI statement, commas must be escaped by a single backslash (\).
For example:
dn: dc=example.com Bolivia\, S.A.,dc=com
objectClass: top
objectClass: organization
aci: (target="ldap:///dc=example.com Bolivia\,S.A.,dc=com")(targetattr=*)
(version 3.0; acl "aci 2"; allow (all)
groupdn = "ldap:///cn=Directory Administrators,dc=example.com
Bolivia\, S.A.,dc=com";)
6.9.11 Proxied authorization ACI example
Proxied authorization allows one user to bind and perform operation as another user. For example,
example.com has an accounting program that must be able to bind to the directory as an
accounting administrator in order to write data. This authorization assumes three things:
• The client application's bind DN is "uid=MoneyWizAcctSoftware,
ou=Applications,dc=example,dc=com".
• The targeted subtree to which the client application is requesting access is
ou=Accounting,dc=example,dc=com.
• An accounting administrator with access permissions to
theou=Accounting,dc=example,dc=com subtree exists in the directory.
In order for the client application to gain access to the accounting subtree, using the same access
permissions as the accounting administrator, two ACIs must be set:
• The accounting administrator must have access permissions to
theou=Accounting,dc=example,dc=com subtree, so the following ACI grants all rights
to the accounting administrator entry:
aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*")
(version 3.0; acl "allowAll-AcctAdmin"; allow (all)
userdn="ldap://uid=AcctAdministrator,ou=Administrators,dc=example,dc=com")
• There must be an ACI granting proxy rights to the client application in the directory:
aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*")
(version 3.0; acl "allow proxy-accounting software"; allow (proxy)
userdn="ldap://uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com")
With this ACI in place, the MoneyWizAcctSoftware client application can bind to the directory
and send an LDAP command such as ldapsearch or ldapmodify that requires the access rights
of the proxy DN.
If the client performs an ldapsearch command, the command must include the following controls:
ldapmodify -D "uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com" \
-w secret -y "uid=AcctAdministrator,ou=Administrators,dc=example,dc=com"
The client or application (MoneyWizAcctSoftware) binds as itself but is granted the privileges of
the proxy entry (AcctAdministrator). The client does not need the password of the proxy entry.
284 Managing Access Control