HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

271

272

273

274

275

276

277

278

279

280

own data and implement their own access control rules while securing it against intruders. For this

reason, HostedCompany1 and HostedCompany2 have full rights on their respective branches

of the directory tree, provided the following conditions are fulfilled:

• Connection authenticated using SSL

• Access requested between 8 a.m. and 6 p.m., Monday through Thursday

• Access requested from a specified IP address for each company

These conditions are illustrated in a single ACI for each company, HostedCompany1 and

HostedCompany2. Because the content of these ACIs is the same, the examples below illustrate

the HostedCompany1 ACI only.

6.9.6.1 ACI "HostedCompany1"

In LDIF, to grant HostedCompany1 full access to their own branch of the directory under the

conditions stated above, write the following statement:

aci:(target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc=com")

(targetattr= "*") (version 3.0; acl "HostedCompany1";allow (all)

(roledn="ldap:///cn=DirectoryAdmin,ou=HostedCompany1,

ou=corporate-clients, dc=example,dc=com") and

(authmethod="ssl") and (dayofweek="Mon,Tues,Wed,Thu") and

(timeofday >= "0800" and timeofday <= "1800") and (ip="255.255.123.234"); )

This example assumes that the ACI is added to the ou=HostedCompany1,

ou=corporate-clients,dc=example,dc=com entry.

From the Console, set this permission by doing the following:

1. In the Directory tab, right-click the HostedCompany1 entry under the example.com node

in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display

the Access Control Manager.

2. Click New to display the Access Control Editor.

3. In the Users/Groups tab, type HostedCompany1 in the ACI name field. In the list of users

granted access permission, do the following:

a. Select and remove All Users, then click Add.

The Add Users and Groups dialog box opens.

b. Set the Search area to Users and Groups, and type DirectoryAdmin in the Search

For field.

This example assumes that you have created an administrators role with a cn of

DirectoryAdmin.

c. Click the Add button to list the administrators role in the list of users who are granted

access permission.

d. Click OK to dismiss the Add Users and Groups dialog box.

4. In the Rights tab, click the Check All button.

5. In the Targets tab, click This Entry to display the

ou=HostedCompany1,ou=corporate-clients,dc=example,dc=com suffix in the

Target directory entry field.

6. In the Hosts tab, click Add to display the Add Host Filter dialog box. In the IP address host

filter field, type 255.255.123.234. Click OK.

The IP address must be a valid IP address for the host machine that the HostedCompany1

administrators use to connect to the example.com directory.

NOTE:

Directory Server supports both IPv4 and IPv6 IP addresses.

280 Managing Access Control