Manualshelf

HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
281282283284285286287288289290
To evaluate the roledn part of the ACI, the server looks at the ou attribute stored in the targeted
entry and uses the value of this attribute to expand the macro. Therefore, in the example, the
roledn is expanded as follows:
roledn = "ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,dc=example,dc=com"
The Directory Server then evaluates the ACI according to the normal ACI evaluation algorithm.
When an attribute is multivalued, each value is used to expand the macro, and the first one that
provides a successful match is used. For example:
dn: cn=Jane Doe,ou=People,dc=HostedCompany1,dc=example,dc=com
cn: Jane Doe
sn: Doe
ou: Engineering, dc=HostedCompany1,dc=example,dc=com
ou: People, dc=HostedCompany1,dc=example,dc=com...
In this case, when the Directory Server evaluates the ACI, it performs a logical OR on the following
expanded expressions:
roledn = "ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,dc=example,dc=com"
roledn = "ldap:///cn=DomainAdmins,ou=People,dc=HostedCompany1,dc=example,dc=com"
6.11 Access control and replication
ACIs are stored as attributes of entries; therefore, if an entry containing ACIs is part of a replicated
database, the ACIs are replicated like any other attribute.
ACIs are always evaluated on the Directory Server that services the incoming LDAP requests. This
means that when a consumer server receives an update request, it returns a referral to the supplier
server before evaluating whether the request can be serviced on the supplier.
6.12 Compatibility with earlier releases
Some ACI keywords that were used in earlier releases of Directory Server have been deprecated.
However, for reasons of backward compatibility, the following keywords are still supported:
userdnattr
groupdnattr
Therefore, if you have set up a replication agreement between a legacy supplier server and a
version 8.0 consumer, there should not be any problems in the replication of ACIs.
6.11 Access control and replication 289