Manualshelf

HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
281282283284285286287288289290
NOTE:
There are some restrictions on binding with proxy authorization. You cannot use the Directory
Manager's DN (root DN) as a proxy DN. Additionally, if Directory Server receives more than one
proxied authentication control, an error is returned to the client application, and the bind attempt
is unsuccessful.
6.10 Advanced access control: Using macro ACIs
In organizations that use repeating directory tree structures, it is possible to optimize the number
of ACIs used in the directory by using macros. Reducing the number of ACIs in your directory tree
makes it easier to manage your access control policy and improves the efficiency of ACI memory
usage.
Macros are placeholders that are used to represent a DN, or a portion of a DN, in an ACI. You
can use a macro to represent a DN in the target portion of the ACI or in the bind rule portion, or
both. In practice, when Directory Server gets an incoming LDAP operation, the ACI macros are
matched against the resource targeted by the LDAP operation. If there is a match, the macro is
replaced by the value of the DN of the targeted resource. Directory Server then evaluates the ACI
normally.
6.10.1 Macro ACI example
Figure 13 (page 286) shows a directory tree that uses macro ACIs to effectively reduce the overall
number of ACIs. This illustration uses repeating pattern of subdomains with the same tree structure
(ou=groups, ou=people). This pattern is also repeated across the tree because the example.com
directory tree stores the suffixes dc=hostedCompany2, dc=example,dc=com and
dc=hostedCompany3,dc=example,dc=com.
The ACIs that apply in the directory tree also have a repeating pattern. For example, the following
ACI is located on the dc=hostedCompany1,dc=example,dc=com node:
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,dc=example,dc=com";)
This ACI grants read and search rights to the DomainAdmins group to any entry in the
dc=hostedCompany1,dc=example,dc=com tree.
6.10 Advanced access control: Using macro ACIs 285