HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

271

272

273

274

275

276

277

278

279

280

1. In the Directory tab, right-click the Social Committee entry under the example.com node

in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display

the Access Control Manager.

2. Click New to display the Access Control Editor.

3. In the Users/Groups tab, in the ACI name field, type Create Group. In the list of users

granted access permission, do the following:

a. Select and remove All Users, then click Add.

The Add Users and Groups dialog box opens.

b. Set the Search area to Special Rights, and select All Authenticated Users from the

search results list.

c. Click the Add button to list All Authenticated Users in the list of users who are granted

access permission.

d. Click OK to dismiss the Add Users and Groups dialog box.

4. In the Rights tab, select the checkbox for add. Make sure the other checkboxes are clear.

5. In the Targets tab, click This Entry to display the ou=social committee,

dc=example,dc=com suffix in the Target directory entry field.

6. In the Hosts tab, click Add to display the Add Host Filter dialog box. In the DNS host filter

field, type *.example.com. Click OK to dismiss the dialog box.

7. To create the value-based filter that allows employees to add only group entries to this subtree,

click the Edit Manually button. Add the following to the beginning of the LDIF statement:

(targattrfilters="add=objectClass:(objectClass=groupOfNames)")

The LDIF statement should read as follows:

(targattrfilters="add=objectClass:(objectClass=groupOfNames)")

(targetattr = "*") (target="ldap:///ou=social committee,dc=example,dc=com)

(version 3.0; acl "Create Group"; allow (read,search,add)

(userdn= "ldap:///all") and (dns="*.example.com"); )

8. Click OK.

The new ACI is added to the ones listed in the Access Control Manager window.

6.9.5.2 ACI "Delete Group"

In LDIF, to grant example.com employees the right to modify or delete a group entry that they

own under the ou=Social Committee branch, write the following statement:

aci: (target="ou=social committee,dc=example,dc=com)

(targattrfilters="del=objectClass:(objectClass=groupOfNames)")

(version 3.0; acl "Delete Group"; allow (delete) userattr=

"owner#GROUPDN";)

This example assumes that the aci is added to the ou=social committee,

dc=example,dc=com entry.

NOTE:

Using the Console is not an effective way of creating this ACI because it requires manually editing

the ACI to create the target filter and to check group ownership.

6.9.6 Granting conditional access to a group or role

In many cases, when you grant a group or role privileged access to the directory, you want to

ensure that those privileges are protected from intruders trying to impersonate your privileged users.

Therefore, in many cases, access control rules that grant critical access to a group or role are often

associated with a number of conditions.

example.com has created a directory administrator role for each of its hosted companies,

HostedCompany1 and HostedCompany2. It wants these companies to be able to manage their

6.9 Access control usage examples 279