HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
ou=people,dc=example,dc=com, and there are not any organizational units (ou) defined
below that node, you could specify an ACI that contains targetattr=ou.
A safer method is to use the targetfilter keyword and to specify explicitly an attribute value
that appears in the entry alone. For example, during the installation of the Directory Server, the
following ACI is created:
aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0;
acl "Default anonymous access"; allow (read, search) userdn="ldap:///anyone";)
This ACI can apply only to the o=NetscapeRoot entry.
The risk associated with these method is that your directory tree might change in the future, and
you would have to remember to modify this ACI.
6.3.3 Defining permissions
Permissions specify the type of access you are allowing or denying. You can either allow or deny
permission to perform specific operations in the directory. The various operations that can be
assigned are known as rights.
There are two parts to setting permissions:
• Allowing or denying access
• Assigning rights
6.3.3.1 Allowing or denying access
You can either explicitly allow or deny access permissions to the directory tree.
NOTE:
From the Directory Server Console, you cannot explicitly deny access, only grant permissions.
6.3.3.2 Assigning rights
Rights detail the specific operations a user can perform on directory data. You can allow or deny
all rights, or you can assign one or more of the following rights:
Table 24 User rights
DescriptionRight
Indicates whether users can read directory data. This permission applies only to the search operation.Read
Indicates whether users can modify an entry by adding, modifying, or deleting attributes. This
permission applies to the modify and modrdn operations.
Write
Indicates whether users can create an entry. This permission applies only to the add operation.Add
Indicates whether users can delete an entry. This permission applies only to the delete operation.Delete
Indicates whether users can search for the directory data. Users must have Search and Read rights
in order to view the data returned as part of a search result. This permission applies only to the
search operation.
Search
Indicates whether the users can compare data they supply with data stored in the directory. With
compare rights, the directory returns a success or failure message in response to an inquiry, but the
Compare
user cannot see the value of the entry or attribute. This permission applies only to the compare
operation.
Indicates whether users can add or delete their own DN from a group. This right is used only for
group management.
Selfwrite
Indicates whether the specified DN can access the target with the rights of another entry.Proxy
Indicates that the specified DN has all rights (read, write, search, delete, compare, and
selfwrite) to the targeted entry, excluding proxy rights.
All
240 Managing Access Control