HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

6.3.3.1 Allowing or denying access...............................................................................240

6.3.3.2 Assigning rights...............................................................................................240

6.3.3.3 Rights required for LDAP operations....................................................................241

6.3.3.4 Permissions syntax...........................................................................................242

6.3.3.5 Access control and the modrdn operation...........................................................242

6.4 Bind rules......................................................................................................................242

6.4.1 Bind rule syntax.......................................................................................................243

6.4.2 Defining user access - userdn keyword.......................................................................243

6.4.2.1 Anonymous access (anyone keyword).................................................................244

6.4.2.2 General access (all keyword)............................................................................244

6.4.2.3 Self access (self keyword).................................................................................244

6.4.2.4 Parent access (parent keyword)..........................................................................244

6.4.2.5 LDAP URLs......................................................................................................244

6.4.2.6 Wildcards......................................................................................................245

6.4.2.7 Examples.......................................................................................................245

6.4.3 Defining group access - groupdn keyword..................................................................246

6.4.4 Defining role access - roledn keyword........................................................................247

6.4.5 Defining access based on value matching..................................................................247

6.4.5.1 Using the userattr keyword................................................................................248

6.4.5.1.1 Example with USERDN bind type................................................................248

6.4.5.1.2 Example with GROUPDN bind type............................................................248

6.4.5.1.3 Example with ROLEDN bind type................................................................249

6.4.5.1.4 Example with LDAPURL bind type................................................................249

6.4.5.1.5 Example with any attribute value.................................................................249

6.4.5.1.6 Using the userattr keyword with inheritance..................................................249

6.4.5.1.7 Granting add permission using the userattr keyword......................................250

6.4.6 Defining access from a specific IP address..................................................................251

6.4.7 Defining access from a specific domain.....................................................................251

6.4.8 Defining access at a specific time of day or day of week..............................................252

6.4.8.1 Examples........................................................................................................252

6.4.9 Defining access based on authentication method........................................................253

6.4.9.1 Examples........................................................................................................253

6.4.10 Using Boolean bind rules........................................................................................254

6.5 Creating ACIs from the console........................................................................................254

6.5.1 Displaying the Access Control Editor..........................................................................255

6.5.2 Creating a new ACI................................................................................................256

6.5.3 Editing an ACI........................................................................................................261

6.5.4 Deleting an ACI......................................................................................................261

6.6 Viewing ACIs.................................................................................................................262

6.7 Checking access rights on entries (get effective rights)..........................................................262

6.7.1 Rights shown with a get effective rights search..............................................................263

6.7.2 The format of a get effective rights search...................................................................263

6.7.2.1 General examples on checking access rights........................................................264

6.7.2.2 Examples of get effective rights searches for non-existent attributes..........................266

6.7.2.3 Examples of get effective rights searches for specific attributes or object classes........267

6.7.2.4 Examples of get effective rights searches for operational attributes..........................269

6.7.2.5 Examples of get effective rights results and access control rules...............................269

6.7.3 Using get effective rights from the console...................................................................270

6.7.4 Get effective rights return codes.................................................................................271

6.8 Logging access control information...................................................................................272

6.9 Access control usage examples.........................................................................................272

6.9.1 Granting anonymous access......................................................................................273

6.9.1.1 ACI "Anonymous example.com"..........................................................................273

6.9.1.2 ACI "Anonymous World"...................................................................................273

6.9.2 Granting write access to personal entries....................................................................274

8 Contents