HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
The permissions granted on individual attributes or entries can affect a broad range of actions; for
example, there are several different permissions users must have to search the directory like the
following ldapsearch operation:
ldapsearch -h host -s base
-b "uid=bkolics,dc=example,dc=com" objectclass=* mail
The following ACI is used to determine whether user bkolics can be granted access:
aci: (targetattr = "mail")(version 3.0; acl "self access to
mail"; allow (read, search) userdn = "ldap:///self";)
The search result list is empty because this ACI does not grant access to the objectclass attribute.
If you want the search operation described above to be successful, modify the ACI to allow read
and search access for the mail and objectclass attributes.
aci: (targetattr = "mail || objectclass")(version 3.0; acl "self
access to mail"; allow (read, search) userdn = "ldap:///self";)
6.3.3.4 Permissions syntax
In an ACI statement, the syntax for permissions is allow|deny (rights). rights is a list of
1 to 8 comma-separated keywords enclosed within parentheses. Valid keywords are read, write,
add, delete, search, compare, selfwrite, proxy, or all.
In the following example, read, search, and compare access is allowed, provided the bind rule is
evaluated to be true:
aci: (target="ldap:///dc=example,dc=com") (version 3.0;acl "example";
allow (read, search, compare) bind_rule;)
6.3.3.5 Access control and the modrdn operation
To explicitly deny modrdn rights using ACIs, target the relevant entries but omit the targetattr
keyword. For example, to prevent the cn=helpDeskGroup,ou=groups,o=example.com
group from renaming any entries in the set specified by the pattern
cn=*,ou=people,o=example.com, add the following ACI:
aci: (target="ldap:///cn=*,ou=people,o=example.com")
(version 3.0; acl "Deny modrdn rights to the helpDeskGroup";
deny(write) groupdn="ldap:///cn=helpDeskGroup,ou=groups,o=example.com";)
6.4 Bind rules
Depending on the ACIs defined for the directory, for certain operations, you need to bind to the
directory. Binding means logging in or authenticating yourself to the directory by providing
credentials (a bind DN and password for SASL or a client certificate for SSL). The credentials
provided in the bind operation and the circumstances of the bind determine whether access to the
directory is allowed or denied.
Every permission set in an ACI has a corresponding bind rule that details the required credentials
and bind parameters.
Bind rules can be simple, such as stating that the person accessing the directory must belong to a
specific group. Bind rules can also be more complex, such as requiring that a person must belong
to a specific group, must log in from a machine with a specific IP address, and is restricted to
access between 8 a.m. and 5 p.m.
Bind rules define who can access the directory, when, and from where by defining any of the
following:
• Users, groups, and roles that are granted access.
• Locations from which an entity must bind.
• Times or days on which binding must occur.
• Types of authentication that must be in use during binding.
242 Managing Access Control