HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

251

252

253

254

255

256

257

258

259

260

dn: cn= Trojan Horse,ou=Human Resources,dc=example,dc=com

objectclass: top

...

cn: Trojan Horse

manager: cn=Joe,ou=eng,dc=example,dc=com

To avoid this type of security threat, the ACI evaluation process does not grant add permission at

level 0, to the entry itself. You can, however, use the parent keyword to grant add rights below

existing entries. You must specify the number of levels below the parent for add rights. For example,

the following ACI allows child entries to be added to any entry in the dc=example,dc=com that

has a manager attribute that matches the bind DN:

aci: (target="ldap:///dc=example,dc=com")(targetattr=*)

(version 3.0; acl "parent-access"; allow (add)

userattr = "parent[0,1].manager#USERDN";)

This ACI ensures that add permission is granted only to users whose bind DN matches the manager

attribute of the parent entry.

6.4.6 Defining access from a specific IP address

NOTE:

Directory Server supports both IPv4 and IPv6 IP addresses.

Using bind rules, you can indicate that the bind operation must originate from a specific IP address.

This is often used to force all directory updates to occur from a given machine or network domain.

The LDIF syntax for setting a bind rule based on an IP address is as follows:

ip = "IP_address" or ip != "IP_address"

The IP address must be expressed in dot notation. You can use the wildcard character (*) to include

multiple machines. For example, the following string is valid:

ip = "12.123.1.*";

The bind rule is evaluated to be true if the client accessing the directory is located at the named

IP address. This can be useful for allowing certain kinds of directory access only from a specific

subnet or machine.

For example, use a wildcard IP address such as 12.3.45.* to specify a specific subnetwork or

123.45.6.*+255.255.255.115 to specify a subnetwork mask.

From the Directory Server Console, you can define specific machines to which the ACI applies

through the Access Control Editor. For more information, see “Creating ACIs from the console” (page

254).

6.4.7 Defining access from a specific domain

A bind rule can specify that the bind operation must originate from a particular domain or host

machine. This is often used to force all directory updates to occur from a given machine or network

domain.

The LDIF syntax for setting a bind rule based on the DNS host name is as follows:

dns = "DNS_Hostname or dns != "DNS_Hostname

CAUTION:

The dns keyword requires that the naming service used on your machine is DNS. If the name

service is not DNS, use the ip keyword instead.

The dns keyword requires a fully qualified DNS domain name. Granting access to a host without

specifying the domain creates a potential security threat. For example, the following expression is

allowed but not recommended:

dns = "legend.eng";

6.4 Bind rules 251