HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
7. In the Times tab, select the block time corresponding to Monday through Thursday and 8 a.m.
to 6 p.m.
A message appears below the table that specifies the selected time block.
8. To enforce SSL authentication from HostedCompany1 administrators, switch to manual editing
by clicking the Edit Manually button. Add the following to the end of the LDIF statement:
and (authmethod="ssl")
The LDIF statement should be similar to the following:
aci: (targetattr = "*") (target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc=com")
(version 3.0; acl "HostedCompany1"; allow (all) (roledn=
"ldap:///cn=DirectoryAdmin,ou=HostedCompany1,ou=corporate-clients, dc=example,dc=com")
and (dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and timeofday <= "1800")
and (ip="255.255.123.234") and (authmethod="ssl"); )
9. Click OK.
The new ACI is added to the ones listed in the Access Control Manager window.
6.9.7 Denying access
If your directory holds business-critical information, it may be necessary to specifically deny access
to it.
For example, example.com wants all subscribers to be able to read billing information such as
connection time or account balance under their own entries but explicitly wants to deny write
access to that information. This is illustrated in “ACI "Billing Info Read"” (page 281) and “ACI
"Billing Info Deny"” (page 282), respectively.
6.9.7.1 ACI "Billing Info Read"
In LDIF, to grant subscribers permission to read billing information in their own entry, write the
following statement:
aci: (targetattr="connectionTime || accountBalance") (version
3.0; acl "Billing Info Read"; allow (search,read) userdn=
"ldap:///self";)
This example assumes that the relevant attributes have been created in the schema and that the
ACI is added to the ou=subscribers,dc=example,dc=com entry.
From the Console, set this permission by doing the following:
1. In the Directory tab, right-click the Subscribers entry under the example.com node in the
left navigation tree, and choose Set Access Permissions from the pop-up menu to display the
Access Control Manager.
2. Click New to display the Access Control Editor.
3. In the Users/Groups tab, in the ACI name field, type Billing Info Read. In the list of
users granted access permission, do the following:
a. Select and remove All Users, then click Add.
The Add Users and Groups dialog box opens.
b. Set the Search area in the Add Users and Groups dialog box to Special Rights, and
select Self from the search results list.
c. Click the Add button to list Self in the list of users who are granted access permission.
d. Click OK to dismiss the Add Users and Groups dialog box.
4. In the Rights tab, select the checkboxes for search and read rights. Make sure the other
checkboxes are clear.
6.9 Access control usage examples 281