HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

231

232

233

234

235

236

237

238

239

240

6 Managing Access Control

HP-UX Directory Server allows you to control access to your directory. This chapter describes the

how to implement access control. To take full advantage of the power and flexibility of access

control, while you are in the planning phase for your directory deployment, define an access

control strategy as an integral part of your overall security policy.

Topics include:

• “Access control principles” (page 232)

• “Default ACIs” (page 234)

• “Creating ACIs manually” (page 235)

• “Bind rules” (page 242)

• “Creating ACIs from the console” (page 254)

• “Viewing ACIs” (page 262)

• “Checking access rights on entries (get effective rights)” (page 262)

• “Logging access control information” (page 272)

• “Access control usage examples” (page 272)

• “Advanced access control: Using macro ACIs” (page 285)

• “Access control and replication” (page 289)

• “Compatibility with earlier releases” (page 289)

6.1 Access control principles

The mechanism that defines user access is called access control. When the server receives a request,

it uses the authentication information provided by the user in the bind operation and the access

control instructions (ACIs) defined in the server to allow or deny access to directory information.

The server can allow or deny permissions for actions on entries like read, write, search, and

compare. The permission level granted to a user may depend on the authentication information

provided.

Access control in Directory Server is flexible enough to provide very precise rules on when the

ACIs are applicable:

• For the entire directory, a subtree of the directory, specific entries in the directory (including

entries defining configuration tasks), or a specific set of entry attributes.

• For a specific user, all users belonging to a specific group or role, or all users of the directory.

• For a specific location such as an IP address or a DNS name.

6.1.1 ACI structure

Access control instructions are stored in the directory as attributes of entries. The aci attribute is

an operational attribute; it is available for use on every entry in the directory, regardless of whether

it is defined for the object class of the entry. It is used by the Directory Server to evaluate what

rights are granted or denied when it receives an LDAP request from a client. The aci attribute is

returned in an ldapsearch operation if specifically requested.

The three main parts of an ACI statement are:

• Target

• Permission

• Bind Rule

232 Managing Access Control