HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

241

242

243

244

245

246

247

248

249

250

Table 26 userdn keyword examples (continued)

DescriptionExampleScenario

For example, if you want to grant read access to

the entire tree to all authenticated users, you

would create the following ACI on the

dc=example,dc=com node:

aci:(version 3.0; acl "all-read";

allow (read) userdn="ldap:///all";)

The bind rule is evaluated to be true for anyone;

use this keyword to provide anonymous access

to your directory.

userdn = "ldap:///anyone";Userdn keyword

containing the

anyone keyword

For example, if you want to allow anonymous

read and search access to the entire

example.com tree, you would create the

following ACI on the dc=example,dc=com

node:

aci: (version 3.0; acl

"anonymous-read-search"; allow

(read,search) userdn =

"ldap:///anyone";)

The bind rule is evaluated to be true if the bind

DN is the parent of the targeted entry.

userdn = "ldap:///parent";Userdn keyword

containing the

parent keyword

For example, if you want to grant write access

to every user's child entries, you would create

the following ACI on the dc=example,dc=com

node:

aci:(version 3.0; acl "parent

access"; allow (write)

userdn="ldap:///parent";)

6.4.3 Defining group access - groupdn keyword

Members of a specific group can access a targeted resource. This is known as group access.

Group access is defined using the groupdn keyword to specify that access to a targeted entry is

granted or denied if the user binds using a DN that belongs to a specific group.

Group membership can be determined based on the user's DN or by using an LDAP filter to search

for group members.

The groupdn keyword requires one or more valid distinguished names in the following format:

groupdn="ldap:///dn [|| ldap:///dn]...[|| ldap:///dn]"

The bind rule is evaluated to be true if the bind DN belongs to the named group.

NOTE:

If a DN contains a comma, the comma must be escaped by a backslash (\).

The groupdn keyword can also be expressed with an LDAP filter:

groupdn="ldap:///suffix??scope?(filter)

With more complex groupdn syntax, the value of the groupdn expression is a single LDAP URL.

Multiple groupdns can be grouped together within parentheses and use or or and connectors

to define additional conditions on the group membership. For example:

(groupdn = "ldap:///ou=Groups, dc=example,dc=com??sub?(cn=*s_0)" or

groupdn = "ldap:///ou=Groups,dc=example,dc=com??sub?(cn=*s_1)") and

groupdn = "ldap:///ou=Groups, dc=example,dc=com??sub?(cn=*s_2)"

When stringing multiple groupdn URLs together, the keyword supports pipes to separate the URLs:

groupdn = "LDAPURI0 || LDAPURL1 || LDAPURL2"

246 Managing Access Control