HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

281

282

283

284

285

286

287

288

289

290

NOTE:

Because search filters do not directly name the object for which you are managing access, it is

easy to allow or deny access to the wrong objects unintentionally, especially as your directory

becomes more complex. Additionally, filters can make it difficult to troubleshoot access control

problems within your directory.

For example, the following ACI grants user bjensen write access to the department number, home

phone number, home postal address, and manager attributes for all members of the accounting

organization.

aci: (targetattr="departmentNumber || homePhone || homePostalAddress || manager")

(targetfilter="(uid=bjensen)") (version 3.0; acl "Filtered ACL"; allow (write)

userdn ="ldap:///cn=*,ou=accounting, dc=example,dc=com";)

Before you can set these permissions, you must create the accounting branch point

ou=accounting,dc=example,dc=com). You can create organizational unit branch points in

the Directory tab on the Directory Server Console.

6.9.9 Allowing users to add or remove themselves from a group

Many directories set ACIs that allow users to add or remove themselves from groups. This is useful,

for example, for allowing users to add and remove themselves from mailing lists.

At example.com, employees can add themselves to any group entry under the ou=social

committee subtree. This is illustrated in “ACI "Group Members"” (page 283).

6.9.9.1 ACI "Group Members"

In LDIF, to grant example.com employees the right to add or delete themselves from a group,

write the following statement:

aci: (targettattr="member")(version 3.0; acl "Group Members"; allow (selfwrite)

(userdn= "ldap:///uid=*,ou=example-people,dc=example,dc=com") ;)

This example assumes that the ACI is added to the ou=social committee,

dc=example,dc=com entry.

From the Console, set this permission by doing the following:

1. In the Directory tab, right-click the example-people entry under the example.com node

in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display

the Access Control Manager.

2. Click New to display the Access Control Editor.

3. In the Users/Groups tab, in the ACI name field, type Group Members. In the list of users

granted access permission, do the following:

a. Select and remove All Users, then click Add.

The Add Users and Groups dialog box opens.

b. Set the Search area in the Add Users and Groups dialog box to Special Rights, and

select All Authenticated Users from the search results list.

c. Click the Add button to list All Authenticated Users in the list of users who are granted

access permission.

d. Click OK to dismiss the Add Users and Groups dialog box.

4. In the Rights tab, select the checkbox for selfwrite. Make sure the other checkboxes are

clear.

6.9 Access control usage examples 283