�W�@��      �ؿ�      �d�      �U�@��
Sun Java(TM) System Directory Server 5 2004Q2 �޲z��n

�� 6 ��
�޲z�s���

����s��z���ؿ�e�O�إߦw���ؿ�i�ίʪ��@����C��������s����O (ACI)�A���i�M�w�»P�s��ؿ�ϥΪ̭��@���v���CDirectory Server �]�t�s���\��A�i�˵��w�ϥΪ̹��w���ؾ֦��������v�Q�C���\��i�N�޲z����B�\��j�j���s�����@�~²�ơC

�b�ؿ�p���p�e���q�ɡA3�өw�q�ŦX����w���F�����s�����C�p�����W���s���������ܡA�аѾ\�mDirectory Server Deployment Planning Guide�nChapter 7 "Designing Access Control"�C

�����]�t�U�C�D�D�G

�s����
�w�] ACI
ACI �y�k
�s���W�h
�q��O��إ� ACI
�ϥΥD���x�إ� ACI
�s���Ϊk�d��
�˵���v�Q
�i�����s���G�ϥΥ��� ACI
�s���P�ƻs
�O��s����T
�P�ª����ۮe��

---

�s����

�w�q�s���v�����٬��s����C���A������n�D�ɡA���|�ϥΨϥΪ̦b�s���@�~���Ҵ��Ѫ����Ҹ�T�A�H�Φ�A�����w�q���s����O (ACI)�A�Ӥ��\�Ωڵ��s��ؿ��T�C��A���i���\�Ωڵ��v���A�ҦpŪ��B�g�J�B�j�M�Τ��C�»P�ϥΪ̪��v���h�ťi��]�Ҵ��Ѫ����Ҹ�T���P�Ӧ��Үt���C

�ϥΦs���A�z�K�i�H����s���ӥؿ�B�ؿ�𪬤l�ؿ�B�ؿ�S�w���� (�]�A�w�q�պA�u�@������)�B�S�w�������ݩʲթίS�w�������ݩʭȡC�i�H�]�w�S�w�ϥΪ̪��v���B�ݩ�S�w�s�թΨ��⪺�Ҧ��ϥΪ��v���B�Υؿ�Ҧ��ϥΪ̪��v���C�̫�A�i�H�w�q�H IP ��}�� DNS �W���ѧO���S�w�Τ�ݪ��s���v�C

ACI ���c

����s���O�H�����ݩʪ��覡�x�s�b�ؿ�Caci �ݩʬO�ާ@�ݩʡF���i�ѥؿ�C�Ӷ��بϥΡA���׶��ت��������O�O�_�w�w�q���ݩʡC�ؿ��A���b����ӦۥΤ�ݪ� LDAP �n�D�ɡADirectory Server �|�ϥΦ��ݩʨӵ��n�»P�Ωڵ����v�Q�C�p�G���S�O���n�D�Aldapsearch �@�~���|�Ǧ^ aci �ݩʡC

ACI ���z���,��T�ӥD�n���!G

�ؼ� - �M�w�N�M���v�������ة��ݩʡC
�v�� - �w�q���\�Ωڵ����@�~�C
�s���W�h - �M�w�ַ|�]����s�� DN �ӳQ ACI ����C

ACI ���v���P�s���W�h���*��]�w�O�ĥΰt��覡�A�o�ǰt��]�٬��s���W�h (ACR)�C�t�η|�ھڦ��H��w�v�����W�h�O�_�Q�����T�A�ӨM�w�»P�Ωڵ��s��ؼЪ���w�v���C�p�ݸԲӸ�T�A�аѾ\�uACI �y�k�v�C

ACI ��m

�p�G�]�t ACI �����ؤ��S�����l���ءA�h ACI �ȮM�Φb�Ӷ��ءF�p�G���ؤ����l���ءA�h ACI �|�M�Φb���إ����Ψ�U�Ҧ������ءC�]���A���A��������w���ت��s���v���ɡA���|�T�{�n�D�����ػP��ڧ=X����¦�����C�Ӷ��ت� ACI�C

aci �ݩʬO�h�����ݩʡA�o��ܱz�i�H���P�@�Ӷ��ةξ𪬤l�ؿ�w�q�h�� ACI�C

�z�b���ؤW�إߪ� ACI ���|�����M�Φb�Ӷ��ؤW�A�ӬO�M�θӶ��ؤ��U���𪬤l�ؿ����Υ������ءC�o�˰����u�I�b��A�z�i�H�b�𪬥ؿ�h�q�w�@��ʪ� ACI�A�� ACI �i�H���Ħa�M�Ω��b�𪬥ؿ�U�h�����ءC�Ҧp�A�i�H�b organizationalUnit ���ة� locality ���ت��h�ūإ� ACI�A�� ACI ���ؼЬO�]�t inetorgperson �������O�����ءC

�i�H�Q�Φ��\��b���h���$��I�W�q�w�@��ʳW�h�A�ϥؿ� ACI �ƥش��̧C�C�Y�n�����S��W�h���d��A�z3�Ӿ��i��a�N�W�h��b����س̪񪺦�m�C

�Ƶ�	��b�� DSE ���� (�t DN "") �� ACI �u�M�Φb�Ӷ��ءC

ACI ���

���F���S�w���ت��s���v�Q�A��A���|�sĶ�@�� ACI �M��A�o�� ACI �s�b�󶵥إ����W�A�H�Φs�b��i�V���خڧ=X����¦�^������ؤW�C���v��A��A���|�̦����dzB�z ACI�FACI �����|�b���ؤΨ�ڧ=X��¦�����Ҧ��=X�M�l�=X���i��A�Ӥ��b��L��A�����챵�=X�����i��C

�Ƶ�	�ؿ�޲z��O�ߤ@�S���M�Φs���A��㦳�v�����ϥΪ̡C��Τ�ݥH�ؿ�޲z���P�ؿ�s����A��A���b���@�~���e���|����� ACI�C �]���A�H�ؿ�޲z���� LDAP �@�~���į�O�L�k�P��L�ϥΪ̪��w�nį�۴��ýת��C�z3�ӭn�H�@��ϥΪ̨����եؿ�į�C

�̹w�]�ȡA���حY�S�� ACI �i�M�ΡA�h���F�ؿ�޲z��~�A�N�ڵ��Ҧ��ϥΪ̦s��C������ ACI ��T�»P�s���v���A�ϥΪ̤~��s���A��������󶵥ءC�w�] ACI �w�q�ΦWŪ��s��A�ä��\�ϥΪ̭ק�L�̦ۤv�����ءA����@�w���ʩһݪ��ݩʰ��~�C�p�ݸԲӸ�T�A�аѾ\�u�w�] ACI�v�C

��M��A���u����̱���ؼж��ت� ACI�A��M�Φܶ��ت��Ҧ� ACI ���v�T�O�ֿn���C���D�����@�� ACI �ڵ��� ACI �»P���s���v���A�_�h�t�η|���\�Ӧs���v���C�ڵ��s�� ACI (���ץX�{�b�M���B)�A���u��ǧ����󤹳\�s��P�@�귽�� ACI�C

�Ҧp�A�p�G�z�ڵ��b�ؿ�ڼh�Ť����g�J�v���A�h�L�ױz�O�_�»P���S�w���v���A���ϥΪ̳��L�k�g�J�ؿ�C�Y�n�N�ؿ�g�J�v���»P�S�w�ϥΪ̡A��������g�J�v������l�ڵ��d��A�ϥ����]�t�ӨϥΪ̡C

ACI ����

���ؿ�A�ȫإߦs�����ɡA�z�������D�U�C����G

�p�G�ϥ��챵�\��N�𪬥ؿ�4��b�X����A���W�A�h�s���z�����ҨϥΪ�����r�|���@�ǭ���G
�̾a�s�ն��ت� ACI (groupdn ����r) �����P�s�ն��ئ�b�P�@����A���W�C�p�G�O�ʺA�s�աA�s�ժ��Ҧ�����]�������b��A���W���@�Ӷ��ءC�p�G�O�R�A�s�աA�h�����إi��b���ݦ�A���W�C
�̾a����w�q�� ACI (roledn ����r) �����P����w�q���ئ�b�P�@����A���W�C�C�@�ӭn�֦����⪺���ؤ]��������b�P�@����A���W�C

��O�A�i�H�N�x�s�b�ؿ�ؤ����ȻP�x�s�b�s���ϥΪ̶��ؤ����ȶi��ƭȹ�3 (�Ҧp�A�ϥ� userattr ����r)�C�Y�ϳs���ϥΪ̦b�x�s ACI ����A���W�S����󶵥ءA�s���٬O�|�H���`�覡���C

�p�����p���챵�s�����ԲӸ�T�A�аѾ\�u�z�L�챵�=X���s���v�C

�� CoS �Ҳ��ͪ��ݩʤ���Ω�Ҧ� ACI ����r���C�ר䤣3�ӱN CoS �Ҳ��ͪ��ݩʥΩ� userattr �M userdnattr ����r�A�]���o�˦s���W�h�N�L�@�ΡC�p�ݸԲӸ�T�A�аѾ\�u�ϥ� userattr ����r�v�C�p����� CoS ���ԲӸ�T�A�аѾ\�� 5 ���u�޲z����M����v�C
�s���W�h�`�O�b�����A���W���C�z���i�H�b ACI ����r�ҥΪ� LDAP URL ����w��A�����D��W�٩γs���𸹽X�C�Y�ϱz��w�F�A�]�@�ˤ��|�N LDAP URL �C�J�Ҷq�C�p�ݸԲӸ�T�A�аѾ\�mDirectory Server Administration Reference�n���� Chapter 6 "LDAP URL Reference"�C
�»P�N�z�v�Q�ɡA�z����H�ؿ�޲z���N�N�z�v�Q�»P�ϥΪ̡A�]����N�N�z�v�Q�»P�ؿ�޲z��C

---

�w�] ACI

��w�� Directory Server �ɡA�t�η|�b�z�b�պA�v��ҫ�w���ڧ=X�W�w�q�U�C�w�] ACI�G

�Ҧ��ϥΪ֦̾��ΦW�s��ؿ��v���A�i���j�M�B���PŪ��@�~ (���F userpassword �ݩʤ��~)�C
�s���ϥΪ̥i�H�ק�ؿ�L�̦ۤv�����ءA��L�k���H�R���C�L�̵L�k�ק� aci�Bnsroledn �M passwordPolicySubentry �ݩʡA�]�L�k�ק���귽�����ݩʡB�K�X�������A�ݩʩαb����w���A�ݩʡC
�պA�޲z�� (�w�]�� uid=admin,ou=Administrators, ou=TopologyManagement,o=NetscapeRoot) �֦��N�z�v�Q�H�~���Ҧ��v�Q�C
�պA�޲z��s�ժ��Ҧ�����֦��N�z�v�Q�H�~���Ҧ��v�Q�C
�ؿ�޲z��s�ժ��Ҧ�����֦��N�z�v�Q�H�~���Ҧ��v�Q�C
SIE �s�ժ��Ҧ�����֦��N�z�v�Q�H�~���Ҧ��v�Q�CSIE �s�եN�� Administration Server �����ؿ��A���s�ժ��޲z��C

��b�ؿ�إ߷s���ڧ=X�ɡA������¦���ؾ֦��W�z�w�] ACI�A��ۧڭק� ACI ���~�C���[�j�w���ʡA3�Ө��u�ϥΥD���x�إ߷s���ڧ=X�v���ҭz�[�J�� ACI�C

Administration Server �� NetscapeRoot �𪬤l�ؿ�ۤv���@�չw�] ACI�G

�պA�޲z��s�ժ��Ҧ�����b NetscapeRoot �𪬤l�ؿ�W�֦��N�z�v�Q�H�~���Ҧ��v�Q�C�o��L�̥i�H�N�s����[�J�պA�޲z��s�աC
�Ҧ��ϥΪ֦̾��ΦW�s�� NetscapeRoot �𪬤l�ؿ��v���A�i���j�M�PŪ��@�~�C
�s���X�R ACI ���\�޲z�s�ժ�����s��s�թw�q�C

�U�C�U�`����p��ק�o�ǹw�]�ȡA�H�ŦX��´���ݭn�C

---

ACI �y�k

ACI �O�㦳�\�h�إi���ܤƪ�����c�C�L�רϥΥD���x�αq��O��إߩM�ק� ACI�A�z��3�ӤF�� LDIF �榡�� ACI �y�k�C�U�C�U�`�N�Բӻ��� ACI ���y�k�C

����	�]�� ACI �y�k�ӽ���ADirectory Server Console �ä��䴩�H��ı�覡�s��Ҧ� ACI�C�ӥB�A���j�q�ؿ�س]�w�s���ɡA�ϥΫ�O��O���ֳt���覡�C�]���A�Y�n�إߨ㦳���Ħs���w���ؿ�A�F�� ACI �y�k�O�ܭ��n���C

aci �ݩʪ��y�k�p�U�G

aci:(target)(version 3.0;acl "name";permission bindRules;)

�䤤�G

target ��w�n�����s���v�������ءB�ݩʩζ��ػP�ݩʲաC�ؼХi����O�W�١B�@�өΦh���ݩʡA�γ�@ LDAP �z�ﾹ�F�ؼЬO��Ϊ��C�p�G����w�ؼСAACI �|�M�Φb�w�q ACI �B����Ӷ��ؤΨ�Ҧ��l���W�C
version 3.0 �O�ѧO ACI ���������n�r��C
name �O ACI ���W�١C�W�٥i���ѧO ACI �����r��CACI �W�٬O���n���A3�ӯ��y�z ACI ���ĪG�C

����	��M�W�٨S����󭭨�A��O�ϥ� ACI ���ߤ@�W�٬O�n�ߺD�C�p�G�ϥΰߤ@�W�١A�u��o�����v�Q�v����i��z�M�w���@�� ACI ���ġC

permission �S�O�a���z�F�n���\�Ωڵ����v�Q�A�ҦpŪ��ηj�M�v�Q�C
bindRules ��w�ϥΪ̬���o�s���v�ҥ������Ѫ����һP�s���ѼơC�s���W�h�]�i�H�H�ϥΪ̩θs�զ�����Y����¦�A�άO�H�Τ�ݪ��s�u�ݩʬ���¦�C

�i�H�֦��h�ӥؼЩM�v��-�s���W�h�t��C�o�i��z�N�@���ؼЪ����ةM�ݩ��u�ơA�æ��Ħa����w�ؼг]�w�h���s���C�Ҧp�G

aci:(target)...(target)(version 3.0;acl "name"; permission bindRule;
 permission bindRule; ...; permission bindRule;)

�U�C������ LDIF ACI ���d�ҡG

aci:(target="ldap:///uid=bjensen,dc=example,dc=com"
 (targetattr="*")(version 3.0; acl "example"; allow (write)
 userdn="ldap:///self";)

�b���d�Ҥ��AACI ���ϥΪ� bjensen ���v�ק�o�ۤv�ؿ�ؤ����Ҧ��ݩʡC

�U�C�U�`�Բӻ��� ACI ���C�@���*��y�k�C

�w�q�ؼ�

�ؼз|�ѧO��̷|�M�� ACI�C��Τ�ݭn�D�ﶵ�ؤ����ݩʰ��@�~�ɡA��A���|���ؼСA�F�ѬO�_������� ACI �H���\�Ωڵ��@�~�C�p�G����w�ؼСA�h ACI �|�M�Ψ�]�t aci �ݩʪ����ؤ����Ҧ��ݩʡA�Ψ�U�Ҧ����ءC

�ؼЪ��@��y�k���U�C�䤤�@���G

(keyword = "expression")

(keyword != "expression")

�䤤�G

keyword ��ܥؼЪ������C�� 6-1 ��������r�w�q�U�C�ؼ������G
�ؿ�ءA�Ψ�𪬤l�ؿ�C
���ت��ݩʡC
�ŦX LDAP �z�ﾹ�����ة��ݩʲաC
�ŦX LDAP �z�ﾹ���ݩʭȩμƭȲզX�C
���� (=) ��ܥؼЬO expression ����w������A�Ӥ����� (!=) ��ܥؼЬO expression ������w����󪫥�C

�Ƶ�	targattrfilters ����r���䴩�u������v�B��l�C

expression �|�]����r�Ӧ����P�A���ѧO�ؼСC��M�ثe��@�W���� targetattr=* ���B�⦡�Aexpression �b�y�k�W�٬O�ݭn�޸� ("")�C�b�N�Ӫ������y�k�ˬd�i���ܱo���Y��A�ҥH3�ӨC�����ϥΤ޸��C

�U��C�X�C������r�ά���B�⦡�G

�� 6-1 LDIF �ؼ�����r

����r	���Ī��B�⦡	���\�U�Φr���ܡH
target	ldap:///distinguished_name	�O
targetattr	attribute	�O
targetfilter	LDAP_filter	�O
targattrfilters	LDAP_operation:LDAP_filter	�O

�N�ؿ�س]���ؼ�

�ϥ� target ����r�M LDAP URL ���� DN �i�N�S�w�ؿ�ؤΨ�U��󶵥س]���ؼСC�ؼЪ� DN ������b ACI �w�q��m�����ؤU���𪬤l�ؿ�C�ؼйB�⦡���y�k�p�U�G

(target = "ldap:///distinguished_name")
(target != "ldap:///distinguished_name")

��O�W�٥�����b�H ACI �w�q��m�����ج��ڳ����𪬤l�ؿ�C�Ҧp�A�H�U�ؼХi�Ω� ou=People,dc=example,dc=com �W�� ACI ���G

(target = "ldap:///uid=bjensen,ou=People,dc=example,dc=com")

�Ƶ�	���ت� DN �����O�H�r���� (RFC 2253) ����O�W�١C�]���r���b��k�W�� dn �ܭ��n�A�Ҧp�r�������H�ϱ׽u (\) �������C�Ҧp�G (target="ldap:///uid=cfuentes,o=Example Bolivia\, S.A.")

�]�i�H�b DN ���ϥθU�Φr���A�N���ŦX LDAP URL �����س]���ؼСA���ؼƶq�����C�U�C�O�U�Φr�����T�Ϊk���d�ҡG

(target="ldap:///uid=*,dc=example,dc=com")

����� example.com �𪬥ؿ�ت� RDN ���� uid �ݩʪ��C�@�Ӷ��ءC���ؼбN���𪬥ؿ��@�h�����ءA�Ҧp�G

uid=tmorris,ou=sales,dc=example,dc=com
uid=yyorgens,ou=marketing,dc=example,dc=com
uid=bjensen,ou=eng,ou=east,dc=example,dc=com

(target="ldap:///uid=*Anderson,ou=People,dc=example,dc=com")

��� ou=People �$䤤 uid �H Anderson ����Ҧ����ءC

(target="ldap:///*Anderson,ou=People,dc=example,dc=com")

��� ou=People �$䤤 RDN �H Anderson ����Ҧ����ءA�Ӥ��שR�W�ݩʬ���C

���\�ϥΦh�ӸU�Φr���A�Ҧp uid=*,ou=*,dc=example,dc=com�C���d�Ҥ�� example.com �𪬥ؿ���O�W�٥]�t uid �P ou �ݩʪ��C�Ӷ��ءC

�Ƶ�	��O�W�٪��=X���$���ϥθU�Φr���C�]�N�O�A�p�G�z���ؿ�ϥΧ=X c=US �P c=GB�A�h�����ϥΤU�C�ؼШӰѦҳo��ӧ=X�G (target="ldap:///dc=example,c=*"). �]����ϥι� uid=bjensen,o=*.com �o�˪��ؼСC

�ؼ��ݩ�

���F�H�ؿ�ج��ؼФ��~�A�]�i�H�N�ؼж��ت��@�Φh���ݩʡA�άO�@�Φh���ݩʰ��~���Ҧ��ݩʳ]���ؼСC�o���ڵ��Τ��\�s��ت����8�T�D�`���ΡC�Ҧp�A�z�i�H���\�u�s���w���ت��@��W�١B�m��P�q�ܸ��X�ݩʡF�Ϊ̡A�z�i�H�ڵ��s��ӷP����T�A�Ҧp�ӤH��ơC

�p�G�S�� targetattr �W�h�A�̹w�]�ȵL�k�s�����ݩʡC�Y�n�s��Ҧ��ݩʡA�W�h�����O targetattr="*"�C

�ؼ��ݩʤ����s�b�ؼж��ةΨ�𪬤l�ؿ�A��u�n�o���ݩʦs�b�A�N�|�M�� ACI�C�z�]���ؼЪ��ݩʤ����b���c���w�q�C�o�دʥF���c�ˬd���覡��z�b�פJ��ƤΨ䵲�c�e�K�i���s�����C

�Y�n�N�ݩʳ]���ؼСA�Х� targetattr ����r�ô����ݩʦW�١Ctargetattr ����r�ϥΤU�C�y�k�G

(targetattr = "attribute")
(targetattr != "attribute")

�i�H�ϥΤU�C�y�k�Q�� targetattr ����r�A�N�h���ݩʳ]���ؼСG

(targetattr = "attribute1 || attribute2 ...|| attributen")
(targetattr != "attribute1 || attribute2 ...|| attributen")

�Ҧp�A�n�N���ت��@��W�١B�m��� uid �ݩʳ]���ؼСA�ШϥΡG

(targetattr = "cn || sn || uid")

�ؼ��ݩʥ]�t�R�W�ݩʪ��Ҧ��l�����C�Ҧp�A(targetattr = "locality") �]�|�H locality;lang-fr ���ؼСC�]�i�H�S�O�N�l�����]���ؼСA�Ҧp (targetattr = "locality;lang-fr-ca")�C

�z�i�H�b targetattr �W�h���ϥθU�Φr���A��ä����y�ϥΡA�]���S���S�O���γ~�A�ӥB�i���į঳�t�����v�T�C

�N���ػP�ݩʨ�̳]���ؼ�

�̹w�]�ȡA�]�t targetattr ����r�� ACI ���ؼж��جO ACI �Ҧb��m�����ءC�]�N�O�A�p�G�N ACI

aci:(targetattr = "uid")(accessControlRules;)

��b ou=Marketing, dc=example,dc=com ���ؤW�A�h ACI �|�M�Φb��� Marketing �𪬤l�ؿ�C��z�]�i�H�� target ����r��T��w�ؼСA�Ϊk�p�U�G

aci:(target="ldap:///uid=*,ou=Marketing,dc=example,dc=com")
 (targetattr="uid") (accessControlRules;)

target �P targetattr ����r����w���Ǥ�����C

�ϥ� LDAP �z�ﾹ�N���ة��ݩʳ]���ؼ�

�i�H�ϥ� LDAP �z�ﾹ�N�ŦX�Y�DZ�󪺶��زճ]���ؼСC�Y�n�p���]�w�A�Цb targetfilter ����r���ϥ� LDAP �z�ﾹ�C�� ACI �N�M�Φb���t ACI �����ؤU�𪬤l�ؿ�ŦX�z�ﾹ���Ҧ����ءC

targetfilter ����r���y�k���G

(targetfilter = "LDAPfilter")

�䤤 LDAPfilter �O�зǪ� LDAP �j�M�z�ﾹ�C�p�����z�ﾹ�y�k���ԲӸ�T�A�аѾ\�uLDAP �j�M�z�ﾹ�v�C

�Ҧp�A���]�N���u���Ҧ����س��� salaried �� contractor ���A�A�٦��@�ӥN��u�@�ɼƪ��ݩʡA���ݩʥH��¾�u�@���ʤ$�Φ���ܡC�Y�n�N�N�� contractor �έ�¾��u���Ҧ����س]���ؼСA�z�i�H�ϥΤU�C�z�ﾹ�G

(targetfilter = "(|(status=contractor)(fulltime<=79))")

�Ƶ�	ACI �����䴩�y�z��ڤƭȹ�3�W�h���z�ﾹ�y�k�C�Ҧp�A�U�C�ؼпz�ﾹ�L�ġG (targetfilter = "(locality:fr:=<= Quebec)")

�ؼпz�ﾹ�N���鶵�ؿאּ ACI ���ؼСC�i�H�N targetfilter �P targetattr ����r�������p�A��إߪ� ACI �|�M�Φb�ؼж��ؤ����ݩʤl���W�C

�U�C LDIF �d���� Engineering Admins �s�ժ�������ק� Engineering �~�����O���Ҧ����ت� departmentNumber �P manager �ݩʡC���d�Ҩϥ� LDAP �z��覡��� businessCategory �ݩʳ]�� Engineering ���Ҧ����ءG

dn:dc=example,dc=com
objectClass:top
objectClass:organization
aci:(targetattr="departmentNumber || manager")
 (targetfilter="(businessCategory=Engineering)")
 (version 3.0; acl "eng-admins-write"; allow (write)
 groupdn ="ldap:///cn=Engineering Admins, dc=example,dc=com";)

����	��M��N���G�ؿ�U�B�����ػP�ݩʳ]���ؼЮɡA�ϥ� LDAP �z�ﾹ�|�۷?�ΡA��G���ɥi����H�w��A�]���z�ﾹ�ä�������w�z�n�޲z�s����W�١C�z�� ACI ���ؼж��زեi��|�H���ݩʪ��[�J�ΧR���ӧ��ܡC�]���A�p�G�b ACI ���ϥ� LDAP �z�ﾹ�A�h3�b ldapsearch �@�~���ϥάۦP���z�ﾹ�A�H�T�{�ؼЬO�_�����T�����ةM�ݩʡC

�ϥ� LDAP �z�ﾹ�N�ݩʭȳ]���ؼ�

�i�H�ϥΦs���N�S�w�ݩʭȳ]���ؼСC�o��ܱz�i�H�̾��ݩʭȬO�_�ŦX ACI ���w�q�����A�ӱ»P�Ωڵ��v���C�̾��ݩʭȱ»P�Ωڵ��s���v�� ACI �٬��H�Ȭ���¦�� ACI�C

�Ҧp�A�i�H�»P��´���Ҧ��ϥΪ̭ק諸�v���A�H�ק�L�̦ۤv���ؤ��� nsRoleDN �ݩʡC��O�A�z�]�Ʊ�T�O�L�̤��|���ۤv��P�Y�ǭ��n����A�p�uTop Level Administrator�v�CLDAP �z�ﾹ�i�Ψ��ˬd�ݩʭȬO�_�ŦX���C

�Y�n�إߥH�Ȭ���¦�� ACI�A�����H�U�C�y�k�ϥ� targattrfilters ����r�G

(targattrfilters="add=attr1:F1 && attr2:F2...&& attrn:Fn,
                  del=attr1:F1 && attr2:F2 ...&& attrn:Fn")

�䤤�G

add �N��إ��ݩʪ��@�~�C
del �N��R���ݩʪ��@�~�C
attrn �N��ؼ��ݩʡC
Fn �N��u�M�Φb���p�ݩʪ��z�ﾹ�C

�إ߶��خɡA�p�G�N�z�ﾹ�M�Ψ�s���ؤ����ݩʡA�h���ݩʪ��C�ӹ�ҳ����������ӿz�ﾹ�C�R�����خɡA�p�G�N�z�ﾹ�M�Φb�Ӷ��ؤ����ݩʡA�h���ݩʪ��C�ӹ�Ҥ]�����������ӿz�ﾹ�C

�קﶵ�خɡA�p�G�@�~�[�J�ݩʡA�h���������M�Φb���ݩʪ��[�J�z�ﾹ�F�p�G�@�~�R���ݩʡA�h���������M�Φb���ݩʪ��R���z�ﾹ�C�p�G�w�s�b�󶵥ؤ����ݩʪ��ӧO�ȳQ��N�F�A�h�����P�ɺ����[�J�P�R���z�ﾹ�C

�Ҧp�A�ЦҼ{�U�C�ݩʿz�ﾹ�G

(targattrfilters="add=nsroleDN:(!(nsRoleDN=cn=superAdmin)) && telephoneNumber:(telephoneNumber=123*)")

���z�ﾹ�i�ΨӤ��\�ϥΪ̱N��󨤦� (nsRoleDN �ݩ�) �[�J��ۤv�����ؤ��A�� superAdmin ���Ⱓ�~�C���]���\�ϥΪ̥[�J�r���� 123 ���q�ܸ��X�C

�Ƶ�	�L�k�q Directory Server Console �إߥH�Ȭ���¦�� ACI�C

�N��@�ؿ�س]���ؼ�

�S����T����k�i�H�N��@���س]���ؼСC���٬O�i�H���o��G

�Q�Ϋإ߳s���W�h�A�N�s���n�D�����ϥΪ̿�J��3�x�s�b�ؼж��ؤ����ݩʭȡC�p�ݧ�h�ԲӸ�ơA�аѾ\�u�ھڬ۲ŭȩw�q�s��v�C
�ǥѨϥ� targetfilter ����r�C

�ǥѨϥ� targetfilter ����r�A�z�K�i�H��w�u�|�b�һݶ��ؤ��X�{���ݩʭȡC�Ҧp�A�b Directory Server �w�˴v��|�إߤU�C ACI�G

aci:(targetattr="*")(targetfilter=(o=NetscapeRoot))
 (version 3.0; acl "Default anonymous access";
 allow (read, search) userdn="ldap:///anyone";)

�� ACI �u��M�Φb o=NetscapeRoot ���ءA�]���u���o�Ӷ��ت� o �ݩʭȬO NetscapeRoot�C

�ϥγo�Ǥ�k�H���ӨӪ����I�O�z���𪬥ؿ�ӥi��|���ܡA���ɽаȥ��O�o�n�ק惡 ACI�C

�ϥΥ����w�q�ؼ�

�z�i�H�ϥΥ����b ACI ���ؼг��$��N�� DN�A�]���̨Τƥؿ�ϥΪ� ACI �ƥءC�p�ݸԲӸ�T�A�аѾ\�u�i�����s���G�ϥΥ��� ACI�v�C

�w�q�v��

�v���i�H��w���\�Ωڵ��s�������C�i�H���\�Ωڵ��b�ؿ���S�w�@�~���v���C�U�إi�ѫ�w���@�~�٬��v�Q�C

�]�w�v���,���ӳ��!G

���\�Ωڵ��s��
��w�v�Q

���\�Ωڵ��s��

�i�H��T���\�Ωڵ��s��𪬥ؿ��v���C�p�������3���\�P�ڵ��s��Բӻ���A�аѾ\�mDirectory Server Deployment Planning Guide�nChapter 7 "Designing Access Control"�C

��w�v�Q

�v�Q�ԲӦC�X�ϥΪ̥i��ؿ��ư�檺�S�w�@�~�C�i�H���\�Ωڵ��Ҧ��v�Q�A�]�i�H��w�U�C�@�Φh���v�Q�G

Ū��C��ܨϥΪ̬O�_��Ū��ؿ��ơC���v���ȾA�Ω�j�M�@�~�C

�g�J�C��ܨϥΪ̬O�_��[�J�B�ק�ΧR���ݩ��H�קﶵ�ءC���v���A�Ω�ק�P modrdn �@�~�C

�[�J�C��ܨϥΪ̬O�_��إ������C���v���ȾA�Ω�[�J�@�~�C

�R���C��ܨϥΪ̬O�_��R�������C���v���ȾA�Ω�R���@�~�C

�j�M�C��ܨϥΪ̬O�_��j�M�ؿ��ơC�ϥΪ̥����֦��j�M�PŪ���v�Q�A�~��N�Ǧ^����Ƶ�j�M���G���@����C���v���ȾA�Ω�j�M�@�~�C

���C��ܨϥΪ̬O�_��N�L�̴��Ѫ���ƻP�ؿ��x�s����ư����C�Y�֦�����v�Q�A�ؿ�b�^3�d�߮ɷ|�Ǧ^���\�Υ��ѰT���A��ϥΪ̬ݤ��춵�ة��ݩʪ��ȡC���v���ȾA�Ω���@�~�C

�ۼg�C��ܨϥΪ̬O�_��b�ؼж��ت��ݩʤ��[�J�ΧR���L�̦ۤv�� DN�C���ݩʪ��y�k�����O�u��O�W�١v�C���v�Q�ȨѸs�պ޲z���ΡC�ۼg�n�t�X�N�z���Ҥ@�_�ϥΡG���|�»P�q�s�ն��ؤ��[�J�ΧR���N�z DN ���v�Q (���O�s���ϥΪ̪� DN)�C

�N�z�C��ܫ�w�� DN �O�_��ϥΥt�@�Ӷ��ت��v�Q�s��ؼСC�z�i�H�ϥΥؿ���ϥΪ̪� DN (�ؿ�޲z�� DN ���~) �»P�N�z�s���v�C���Ȧp���A�z�L�k�N�N�z�v�Q�»P�ؿ�޲z��C�u�N�z���� ACI �d�ҡv�����ѤF�@�ӽd�ҡC

�����C��ܫ�w�� DN ��ؼж��ؾ֦��Ҧ��v�Q (Ū��B�g�J�B�j�M�B�R���B���P�ۼg)�A�����]�A�N�z�v�Q�C

�v�Q���»P�����W�ߡC�o�����o�[�J�v�Q���ϥΪ̥i�H�إ߶��ءA��p�G�ӨϥΪ̤����S�O��o�R���v�Q�A�h�L�k�R�����ءC�]���A�W���ؿ�s�����ɡA�����T�w�»P�v�Q���覡��ϥΪ̦��N�q�C�Ҧp�A�u�»P�g�J�v���A�o���»PŪ��P�j�M�v���A�K�S���N�q�C

LDAP �@�~�һݪ��v�Q

���`����ھڱz�n���v�ϥΪ̰�椧 LDAP �@�~�����P�A�z�����»P�ϥΪ̤��P���v�Q�C

�[�J���ءG

�»P���[�J���ت��[�J�v���C
�»P���ؤ��C���ݩʭȼg�J���v���C�̾ڹw�]�»P���v�Q�A��O�i�ϥ� targattrfilters ����r�[�H����C

�R�����ءG

�»P��R�����ت��R���v���C
�»P���ؤ��C���ݩʭȼg�J���v���C�̾ڹw�]�»P���v�Q�A��O�i�ϥ� targattrfilters ����r�[�H����C

�קﶵ�ت��ݩʡG

�»P���ݩ��������g�J�v���C
�»P�C���ݩ������Ȫ��g�J�v���C�̾ڹw�]�»P���v�Q�A��O�i�ϥ� targattrfilters ����r�[�H����C

�קﶵ�ت� RDN�G

�»P�Ӷ��ت��g�J�v���C
�»P�s RDN ���ҥ��ݩ��������g�J�v���C
�»P�� RDN ���ҥ��ݩ��������g�J�v�� (�p�G�n�»P�R���� RDN ���v�Q)�C
�»P�s RDN ���ҥ��ݩ������Ȫ��g�J�v���C�̾ڹw�]�»P���v�Q�A��O�i�ϥ� targattrfilters ����r�[�H����C

����ݩʭȡG

�»P���ݩ�����������v���C

�j�M���ءG

�»P�j�M�z�ﾹ���ҥΨC���ݩ��������j�M�v���C
�»P���ةҥΦܤ֤@���ݩ�������Ū���v���A�H�T�w�w�Ǧ^���ءC
�»P�C���ݩ�����Ū���v��H�ϥζ��ضǦ^�C

�ѷӤU�C�d�ҡA�i�H��e��F�ѭn���\�ϥΪ̷j�M�ؿ�ҥ����]�w���v���C�Ы�ҤU�C�j�M�G

ldapsearch -h host -p port -D "uid=bjensen,dc=example,dc=com" \
           -w password -b "dc=example,dc=com" \
             "(objectclass=*)" mail

�ϥΤU�C ACI �M�w bjensen �ϥΪ̬O�_����o�s���v�G

aci:(targetattr = "mail")(version 3.0; acl "self access to
 mail"; allow (read, search) userdn = "ldap:///self";)

�j�M���G�M��ťաA�]���� ACI �����\ bjensen �b objectclass �ݩʤW�j�M���v���C�p�G�Ʊ�W�z���j�M�@�~���\�A�����ק� ACI �H�KŪ��A�p�U�G

aci:(targetattr = "mail || objectclass")(version 3.0; acl "self
 access to mail"; allow (read, search) userdn = "ldap:///self";)

�v���y�k

�b ACI ���z�����A�v�����y�k���G

allow|deny (rights)

�䤤 rights �O�A���� 1 �� 8 �ӥH�r���9j������r�M��C��������r�� read�Bwrite�Badd�Bdelete�Bsearch�Bcompare�Bselfwrite�Bproxy �� all�C

�b�U�C�d�Ҥ��A�p�G�s���W�h�����G�O���T�A�K���\Ū��B�j�M�P���s��G

aci:(target="ldap:///dc=example,dc=com") (version 3.0;acl
 "example"; allow (read, search, compare) bindRule;)

---

�s���W�h

��ؿ�w�q�� ACI �����P�A���ǧ@�~�����s����ؿ�C�s����ܴ��ѳs�� DN �P�K�X (�p�G�ϥ� SSL�A�h���Ѿ���) ��z�ۨ��n�J�ؿ�γq�L�ؿ����ҡC�s���@�~���Ҵ��Ѫ����ҡA�H�γs�������p���i�M�w�O�_���\�Ωڵ��s��ؿ�C

ACI �����C���v���ճ����@�ӹ�3���s���W�h�A���W�h�ԲӦC�X���n�����һP�s���ѼơC

²�檺�s���W�h�i��ݭn�s��ؿ�ϥΪ̥����ݩ�S�w���s�աC����s���W�h�i����ϥΪ̥����ݩ�S�w�s�աA�ӥB�����b�W�� 8 �I��U�� 5 �I�����q�S�w IP ��}���q���n�J�C

�s���W�h�W�w�i�H�s��ؿ�H��B�ɶ��P�a�I�C�s���W�h�i�H�����a�W�w�G

��o�s���v���ϥΪ̡B�s�ջP����
���饲���s�����ӷ���m�C�ӦۨϥΪ����Ҫ���m�i�ण�O���T���A�]���L�k���H��C�ФŨ̳o�ظ�T�M�w ACI�C
�s�������o�ͪ��ɶ��Τ��
�s���v������ϥΪ���������

���~�A�i�H�ϥΥ��L�B��l�N�o�DZ��[�H�զX�A��s�������c��[����C�p�ݧ�h��T�A�аѾ\�u�ϥΥ��L�s���W�h�v�C

��A���|�ھ������� LDAP �z�ﾹ�ɩҨϥΪ��T���޿�A�ӵ�� ACI ���ҥΪ��޿�B�⦡�A�p�uRFC 2251 ���q���ؿ�s��q�T��w (v3) �v���ҭz�C�`�Ө����A�o��ܦp�G�B�⦡����󪺤���Q�����w�q (�Ҧp�A�p�G�]���귽����ϹB�⦡����)�A�h��A���|���T�a�B�z�o�ر��p�G�����|�]�������L�B�⦡���X�{���w�q���ȡA�ӿ�~�a�»P�s���v�C

�s���W�h�y�k

�H ACI ���s���W�h�O�_�����T�A�@���O�_�n���\�Ωڵ��s��̾ڡC�s���W�h�ϥΤU�C��ؼҦ����@�G

keyword = "expression";

keyword != "expression";

�䤤���� (=) ��� keyword �P expression �����ŦX�A�s���W�h�~�|�������T�F�Ӥ����� (!=) �h��� keyword �P expression �������ŦX�A�s���W�h�~�|�������T�C

�Ƶ�	timeofday ����r�]�䴩���۵��B�⦡ (<�B<=�B>�B>=)�C�o�O�ߤ@�䴩�o�ǹB�⦡������r�C

expression �P�򪺤޸� ("") �M�9j���_�� (;) �O���n���C�i�Ϊ��B�⦡�������p�� keyword �өw�C

�U��C�X�C������r�P���p���B�⦡�A�ë�X�B�⦡���O�_���\�U�Φr���C

�� 6-2 LDIF �s���W�h����r 

����r	���Ī��B�⦡	���\�U�Φr���ܡH
userdn	ldap:///distinguished_name ldap:///all ldap:///anyone ldap:///self ldap:///parent ldap:///suffix??sub?(filter)	�O�A�ȭ��� DN ��
groupdn	[ldap:///DN]	�_
roledn	[ldap:///DN]	�_
userattr	attribute#bindType �� attribute#value	�_
ip	IP_address	�O
dns	DNS_host_name	�O
dayofweek	sun mon tue wed thu fri sat	�_
timeofday	0 - 2359	�_
authmethod	none simple ssl sasl authentication_method	�_

�U�C�U�`�N�i�@�B�Բӻ���C������r���s���W�h�y�k�C

�w�q�ϥΪ̦s�� - userdn ����r

�ϥΪ̦s��O�� userdn ����r�өw�q�Cuserdn ����r�ݱĥΤU�C�榡���@�Φh�Ӧ��Ŀ�O�W�١G

userdn = "ldap:///dn [|| ldap:///dn]..."
userdn != "ldap:///dn [|| ldap:///dn]..."

�䤤 dn �i�H�O DN �άO anyone�Ball�Bself �� parent ���B�⦡���@�C�o�ǹB�⦡�|�ѷӤU�C�ϥΪ̡G

userdn = "ldap:///anyone" - �ΦW�P���ҨϥΪ̡C
userdn = "ldap:///all" - �ȭ����ҨϥΪ̡C
userdn = "ldap:///self" - �ȭ��P ACI �ؼж��ؤ@�˪��ϥΪ̡C
userdn = "ldap:///parent" - �ȭ� ACI �ؼЪ���C

userdn ����r�]�i�H��ܬ��p�U�C�榡�� LDAP �z�ﾹ�G

userdn = ldap:///suffix??sub?(filter)

�Ƶ�	�r���b��k�W�� dn �ܭ��n�A�Ҧp�r�������H�ϱ׽u (\) �������C

�ΦW�s�� (anyone ����r)

�»P�ΦW�s��ؿ��v���A��ܤ��׳s�����p�p��A���H�����ݴ��ѳs�� DN �αK�X�Y�i�s��ӥؿ�C�i�H�N�ΦW�s���b�S�w�������s�� (�Ҧp�AŪ��s��ηj�M�s��)�A�άO����b�S�w�𪬤l�ؿ�A�Υؿ�ӧO���ءC�ϥ� anyone ����r���ΦW�s��]���\������ҨϥΪ̦s��C

�Ҧp�A�p�G�n���\�ΦWŪ��M�j�M�s���� example.com �𪬥ؿ�A�Цb dc=example,dc=com �`�I�W�إߤU�C ACI�G

aci:(version 3.0; acl "anonymous-read-search";
 allow (read, search) userdn = "ldap:///anyone";)

�@��s�� (all ����r)

�i�H�γs���W�h����v���A�Ω󦨥\�s���ӥؿ���H�C�]���Aall ����r���\�Ҧ����ҨϥΪ̦s��C�p���@�ӬJ�i�H���\�@��s��A�P�ɤS�ਾ��ΦW�s��C

�Ҧp�A�p�G�n�N��Ӿ𪬥ؿ�Ū��s��»P�Ҧ����ҨϥΪ̡A�Цb dc=example,dc=com �`�I�W�إߤU�C ACI�G

aci:(version 3.0; acl "all-read"; allow (read)
 userdn="ldap:///all";)

�ۨ��s�� (self ����r)

��w���v�Ωڵ��ϥΪ̦s��L�̦ۤv�����ءC�b�����p�U�A�p�G�s�� DN �ŦX�ؼж��ت� DN�A�K�»P�Ωڵ��s��C

�Ҧp�A�p�G�n���v example.com �𪬥ؿ�Ҧ��ϥΪ̧��i�g�J�s��� userPassword �ݩʡA�Цb dc=example,dc=com �`�I�W�إߤU�C ACI�C

aci:(targetattr = "userPassword") (version 3.0; acl
 "modify own password"; allow (write) userdn = "ldap:///self";)

��ئs�� (parent ����r)

��w�ߦ��s�� DN �O�ؼж��ت���خɡA�~�»P�Ωڵ��ϥΪ̦s��Ӷ��ءC�Ъ`�N�A�����b Server Console ����ʽs�� ACI�A�~��ϥ� parent ����r�C

�Ҧp�A�p�G�n���\�ϥΪ̥i�ק�L�̳s�� DN �����l���ءA�Цb dc=example,dc=com �`�I�W�إߤU�C ACI�G

aci:(version 3.0; acl "parent access";
 allow (write) userdn="ldap:///parent";)

LDAP URL

�i�H�b ACI ���ϥΤU�C�]�t�z�ﾹ�� URL�A�ʺA�a�N�ϥΪ̳]���ؼСG

userdn = "ldap:///<suffix>??sub?(filter)"

�Ҧp�A�ھڤU�C URL�A�ʺA�a���v�Ωڵ� example.com �𪬥ؿ� accounting �P engineering �$䤺�Ҧ��ϥΪ̦s��ؼи귽���v���G

userdn = "ldap:///dc=example,dc=com??sub?(|(ou=eng)(ou=acct))"

�Ƶ�	�b LDAP URL �����n��w�D��W�٩γs���𸹽X�CLDAP URL �û��M�Ω󥻾��A���C

�p�ݸԲӸ�T�A�аѾ\�mDirectory Server Administration Reference�n���� Chapter 6 "LDAP URL Reference"�C

�U�Φr��

�]�i�H�ϥθU�Φr�� (*) ��w�@�ըϥΪ̡C�Ҧp�A��w uid=b*,dc=example,dc=com ���ϥΪ� DN�A�i��ܨ̾ڱz�]�w���v���A�u���\�Ωڵ��s�� DN �O�H b ���}�Y���ϥΪ̪��s���v���C

LDAP URL ���޿� OR

��w�ƭ� LDAP URL ������r�B�⦡�H�إߨϥΪ̦s�����W�h�C�Ҧp�G

userdn = "ldap:///uid=b*,c=example.com ||
 ldap:///cn=b*,dc=example,dc=com";

�P��@ DN �Ҧ��s�����ϥΪ̤��s���W�h�Q���u�C

�ư��S�w LDAP URL

�ϥΤ����� (!=) �B��r�w�q�ư��S�w URL �� DN ���ϥΪ̦s��C�Ҧp�G

userdn != "ldap:///uid=*,ou=Accounting,dc=example,dc=com";

�p�G�Τ�ݤ��O�H accounting �𪬤l�ؿ�H UID ����¦����O�W�٨ӳs���A�h�s���W�h�|�Q�����T�C�u����ؼж��ؤ��b�𪬥ؿ� accounting �$�U�ɡA���s���W�h�~���D�z�C

�w�q�s�զs�� - groupdn ����r

�S�w�s�ժ�����i�s��ؼи귽�F�o�٬��s�զs���C�s�զs��O�� groupdn ����r�w�q�A�H��w�ϥΪ̦p�G���ݩ�S�w�s�ժ� DN �s���A�Y���v�Ωڵ��ӨϥΪ̦s��ؼж��ءC

groupdn ����r�ݭn�ĥΤU�C�榡���@�Φh�Ӹs�աG

groupdn="ldap:///groupDN [|| ldap:///groupDN]..."

�p�G�s�� DN �ݩ��� groupDNs.��w���s�աA�h�s���W�h�|�Q�����T�C�U�`�ϥ� groupdn ����r���ѽd�ҡC

�Ƶ�	�r���b��k�W�� dn �ܭ��n�A�Ҧp�r�������H�ϱ׽u (\) �������C

��@ LDAP URL

groupdn = "ldap:///cn=Administrators,dc=example,dc=com";

�p�G�s�� DN �ݩ� Administrators �s�աA�h�s���W�h�|�Q�����T�C�p�G�n�N��Ӿ𪬥ؿ�g�J�v���»P�� Administrators �s�աA�Цb dc=example,dc=com �`�I�W�إߤU�C ACI�G

aci:(version 3.0; acl "Administrators-write"; allow (write)
 groupdn="ldap:///cn=Administrators,dc=example,dc=com";)

LDAP URL ���޿� OR

groupdn = "ldap:///cn=Administrators,dc=example,dc=com ||
ldap:///cn=Mail Administrators,dc=example,dc=com";

�p�G�s�� DN �ݩ� Administrators �� Mail Administrators �s�աA�h�s���W�h�|�Q�����T�C

�w�q����s�� - roledn ����r

�S�w���⪺����i�s��ؼи귽�F�o�٬�����s���C����s��O�� roledn ����r�w�q�A�H��w�ϥΪ̦p�G���ݩ�S�w���⪺ DN �s���A�Y���v�Ωڵ��ӨϥΪ̦s��ؼж��ءC

roledn ����r�ݭn�ĥΤU�C�榡���@�Φh�Ӧ��Ŀ�O�W�١G

roledn = "ldap:///dn [|| ldap:///dn]...[|| ldap:///dn]"

�p�G�s�� DN �ݩ��w������A�h�s���W�h�|�Q�����T�C

�Ƶ�	�r���b��k�W�� dn �ܭ��n�A�Ҧp�r�������H�ϱ׽u (\) �������C

roledn ����r�P groupdn ����r���y�k�P�Ϊk���@�ˡC

�ھڬ۲ŭȩw�q�s��

�i�H�]�w�s���W�h�A�H��w�Ψӳs���ؿ���ݩʭȥ����P�ؼж��ت��ݩʭȬ۲šC

�Ҧp�A�i�H��w�s�� DN �����P�ϥΪ̶��ؤ� manager �ݩʪ� DN �۲šA�~��M�� ACI�C�b�����p�U�A�u���ϥΪ̪��޲z��i�H�s��Ӷ��ءC

���d�ҬO�ھ� DN �۲ŭȡC�M�ӡA�i�H�N�s�����ҥζ��ت�����ݩʻP�ؼж��ؤ��C�Ҧp�A�i�H�إ� ACI�A���\ favoriteDrink �ݩʬ��ubeer�v�����ϥΪ�Ū��� favoriteDrink �ȬۦP����L�ϥΪ̪��Ҧ����ءC

�ϥ� userattr ����r

userattr ����r�i�Ψӫ�w�s�����ػP�ؼж��ؤ��������۲Ū��ݩʭȡC

�i�H��w�G

�ϥΪ� DN
�s�� DN
���� DN
�b LDAP URL ���� LDAP �z�ﾹ
����ݩ�����

userattr ����r�� LDIF �y�k�p�U�G

userattr = "attrName#bindType"

�Ϊ̡A�p�G�ثe�ϥΪ��ݩ������ݭn���Ȭ��ϥΪ� DN�B�s�� DN�B���� DN �� LDAP �z�ﾹ�H�~���ȡG

userattr = "attrName#attrValue"

�䤤�G

attrName �O�۲ŭȩҥΪ��ݩʦW��
bindType �O USERDN,GROUPDN,ROLEDN,LDAPURL �����@��
attrValue �O�N���ݩʭȪ����r��

�Ƶ�	userattr ����r�����o�ϥΥѪA�����O (CoS) �w�q�Ҳ��ͪ��ݩʡCACI �]�t���s���W�h�Y��M��� CoS �Ҳ��ͪ��ݩʭȡA�h�� ACI �N�L�@�ΡC

�U�C�U�`���� userattr ����r�ϥΦU�ؤ��P�s���������d�ҡC

�ϥ� USERDN �s���������d��

�U�C���P�H�ϥΪ� DN ����¦���s�������p�� userattr ����r�d�ҡG

userattr = "manager#USERDN"

�p�G�s�� DN �P�ؼж��ؤ� manager �ݩʪ��Ȭ۲šA�h�s���W�h�|�Q�����T�C�i�H�ϥγo�ؤ覡���\�ϥΪ̪��޲z��ק��u�ݩʡC�u����ؼж��ؤ��� manager �ݩʪ�ܦ����� DN �ɡA�����~���@�ΡC

�U�C�d�ҷ|���v�޲z��i����s����u���ت��v���G

aci:(target="ldap:///dc=example,dc=com")(targetattr="*")
 (version 3.0;acl "manager-write";
 allow (all) userattr = "manager#USERDN";)

�ϥ� GROUPDN �s���������d��

�U�C���P�H�s�� DN ����¦���s�������p�� userattr ����r�d�ҡG

userattr = "owner#GROUPDN"

�p�G�s�� DN �O�ؼж��� owner �ݩʤ���w���s�զ���A�h�s���W�h�|�Q�����T�C�Ҧp�A�i�H�ϥΦ����H���\�s�պ޲z��u�����A��T�C�i�H�ϥ� owner �H�~���ݩʡA�u�n�ҨϥΪ��ݩʤ��]�t�s�ն��ت� DN�C

�z�ҫ�V���s�եi�H�O�ʺA�s�աA�ӥB�s�ժ� DN �i�H�b�ؿ���=X�U�C�M�ӡA�Ѧ�A�����o�� ACI �|�D�`�ӶO�귽�C

�p�G�ϥλP�ؼж��ئb�P�@�=X�U���R�A�s�աA�i�H�ϥΤU�C�B�⦡�G

userattr = "ldap:///dc=example,dc=com?owner#GROUPDN"

�b���d�Ҥ��A�s�ն��ئ�b dc=example,dc=com �=X�U�C��A���B�z���������y�k���t�׷|��W�@�ӽd�ҧ֡C

�ϥ� ROLEDN �s���������d��

�U�C���P�H���� DN ����¦���s�������p�� userattr ����r�d�ҡG

userattr = "exampleEmployeeReportsTo#ROLEDN"

�p�G�s�� DN �ݩ�ؼж��ت� exampleEmployeeReportsTo �ݩʤ���w������A�h�s���W�h�|�Q�����T�C�Ҧp�A�p�G�����q�����Ҧ��޲z��إ߱_������A�z�i�H�ϥΦ������v�Ҧ����h���޲z��i�s����h��޲z��C����u����T�C

���⪺ DN �i�b�ؿ���=X�U�C���~�A�p�G�z�ϥοz�諸����A���o�� ACI �|�ӥΦ�A���W�j�q���귽�C

�ϥ� LDAPURL �s���������d��

�U�C���P�H LDAP �z�ﾹ����¦���s�������p�� userattr ����r�d�ҡG

userattr = "myfilter#LDAPURL"

�p�G�s�� DN �ŦX�ؼж��ت� myfilter �ݩʤ���w���z�ﾹ�A�h�s���W�h�|�Q�����T�Cmyfilter �ݩʥi�H�ѥ]�t LDAP �z�ﾹ������ݩʨ�N�C

�ϥΥ���ݩʭȪ��d��

�U�C���P�H����ݩʭȬ���¦���s�������p�� userattr ����r�d�ҡG

userattr = "favoriteDrink#Beer"

�p�G�s�� DN �P�ؼ� DN �]�t�� Beer �Ȫ� favoriteDrink �ݩʡA�h�s���W�h�|�Q�����T�C

�b userattr ����r���ϥ��~��

��ϥ� userattr ����r�N�s���ҥζ��ػP�ؼж��ز������p�ɡAACI �u�|�M�Φb��w���ؼСA�Ӥ��|�M�Φb��U�����ءC�b�Y�Ǫ��p�U�A�z�i��Ʊ�N ACI ���M�Υѥؼж��ئV�U����X�Ӽh�šC�u�n�ϥ� parent ����r�A�ë�w�ؼФ��U3�~�� ACI ���h�żơA�N�i�H��o��C

��ϥλPparent ����r�����p�� userattr ����r�ɡA�y�k�p�U�G

userattr = "parent[inheritance_level].attribute#bindType"

�䤤 :

inheritance_level �O�H�r���9j���M��A��ܥؼФ��U���h�ּh�ŭn�~�� ACI�C�i�H�]�t�ؼж��ؤU�� 5 �Ӽh�� [0,1,2,3,4]�A�s (0) �O��ؼж��ءC
attribute �O userattr �� groupattr ����r���ؼ��ݩʡC
bindType �i�� USERDN �� GROUPDN �䤤���@�C�~�Ӥ��䴩 LDAPURL �P ROLEDN �s�������C

�Ҧp�G

userattr = "parent[0,1].manager#USERDN"

�p�G�s�� DN �P�ؼж��ت� manager �ݩʬ۲šA�h�s���W�h�|�Q�����T�C��s���W�h�����T�ɡA�ұ»P���v���|�M�Φb�ؼж����H�����U�@�h���Ҧ����ءC

�ϥ� userattr �~�Ӫ��d��

�U�Ϥ����d�Ҫ�ܤ��\ bjensen �ϥΪ�Ū��P�j�M cn=Profiles ���ءA�H�Υ]�t cn=mail �P cn=news ���Ĥ@�h�l���ءC

�� 6-1 �b userattr ����r���ϥ��~��

�b���d�Ҥ��A�p�G���ϥ��~�ӡA�N�������U�C��@���~����o�P�˪����G�G

��T�a���ؿ� cn=Profiles�Bcn=mail �P cn=news ���ؤW�� bjensen �ϥΪ̳]�wŪ��P�j�M�s��C
�N owner �ݩʩM�U�C�� ACI �[�J cn=mail,cn=Profiles and cn=news,cn=Profiles ���ؤ��G

aci:(targetattr="*") (version 3.0; acl "profiles access"; allow
 (read,search) userattr="owner#USERDN";)

�ϥ� userattr ����r�»P�[�J�v��

�p�G�N userattr ����r�f�t all �� add �v���@�_�ϥΡA�z�i��o�{��A�����B�@�覡�P�w�j��p���۲šC�@��Ө��b�ؿ�إ߷s���خɡADirectory Server �|��إߪ����ئӫD��ص���s���v�Q�C�M�Ӧb�ϥ� userattr ����r�� ACI ���A���B�@�覡�i��y���w���W���|�}�A�]���n�ק��A�����`���B�@�覡�H�קK�����p�o�͡C

�Ы�ҤU�C�d�ҡG

aci:(target="ldap:///dc=example,dc=com")(targetattr="*")
 (version 3.0; acl "manager-write"; allow (all)
 userattr = "manager#USERDN";)

�� ACI �N�޲z���ݭ�u���ت������v�Q�»P�޲z��C��O�A�]���s���v�Q�O�b�إߪ����ؤW���A�o�� ACI �]�|���\����u�إ߶��ءA�ñN manager �ݩʳ]���L�̦ۤv�� DN�C�Ҧp�A���h��������u Joe (cn=Joe,ou=eng,dc=example,dc=com) �i��|�b�𪬥ؿ� Human Resources �$䤤�إ߶��ءA�H�ϥ� (���ݥ�) �»P Human Resources ��u���v���C

�L�i�H�Q�ΫإߤU�C���بӹF�����ت��G

dn:cn= Trojan Horse,ou=Human Resources,dc=example,dc=com
objectclass:top
...
cn:Trojan Horse
manager:cn=Joe,ou=eng,dc=example,dc=com

���קK�o���w���ʫ¯١AACI ���B�z�{�Ǥ��|�b�h�� 0 (�]�N�O���إ���) �»P�[�J�v���A��z�i�H�� parent ����r�»P�{�����ؤU���[�J�v�Q�C�z������w��ؤU�ݭn�[�J�v�Q���h�żơC�Ҧp�A�U�C ACI ���\�� dc=example,dc=com ������󶵥إ[�J�l���ءA�u�n�Ӷ��ئ��ŦX�s�� DN �� manager �ݩʡG

aci:(target="ldap:///dc=example,dc=com")(targetattr="*")
 (version 3.0; acl "parent-access"; allow (add)
 userattr = "parent[0,1].manager#USERDN";)

�� ACI �i�T�O�[�J�v���u�»P��s�� DN �P��ت� manager �ݩʬ۲Ū��ϥΪ̡C

�w�q�ӦۯS�w IP ��}���s��

�ϥγs���W�h�A�i�H��ܳs���@�~�����_���ۯS�w IP ��}�C�o�q�`�Ψӱj����Ҧ��ؿ��s���q��w���q���κ����o�͡C

�]�w�H IP ��}����¦���s���W�h�� LDIF �y�k�p�U�G

ip = "IPaddressList" �� ip != "IPaddressList"

IPaddressList �O�@�i�M��A�H�@�Φh�ӳr���N���$9j�A�䤤�����%i���U�C��@���G

�S�w�� IPv4 ��}�G 123.45.6.7
�ϥθU�Φr���� IPv4 ��}�A�H��w�l���G 12.3.45.*
�ϥΤl���B�n�� IPv4 ��}�Τl���G 123.45.6.*+255.255.255.115
��󦳮Į榡�� IPv6 ��}�A��榡�w�q�� RFC 2373 (http://www.ietf.org/rfc/rfc2373.txt)�C�U�C��}�ۦP�G
12AB:0000:0000:CD30:0000:0000:0000:0000
12AB::CD30:0:0:0:0
12AB:0:0:CD30::
IPv6 ��}�Ψ�l���r����סG12AB::CD30:0:0:0:0/60

�p�G�s��ؿ�Τ�ݦ�b�R�W�� IP ��}���A�h�s���W�h�|�Q�����T�C�o���u���\�q�S�w�l���ιq���i��Y�إؿ�s��Ө��O�D�`���ΡC�ӦۨϥΪ����Ҫ� IP ��}�i�ण�O���T���A�]���L�k���H��C�ФŨ̳o�ظ�T�M�w ACI�C

�q Server Console �W�A�i�H�z�L [�s���s�边] �w�q�n�M�� ACI ���S�w�q���C�p�ݸԲӸ�T�A�аѾ\�u�ϥΥD���x�إ� ACI�v�C

�w�q�ӦۯS�w��쪺�s��

�s���W�h�i�H��w�s���@�~�����_���ۯS�w���ΥD��q���C�o�q�`�Ψӱj����Ҧ��ؿ��s���q��w���q���κ����o�͡C

�]�w�H DNS �D��W�٬���¦���s���W�h�� LDIF �y�k�p�U�G

dns = "DNS_Hostname" �� dns != "DNS_Hostname"

�p��	dns ����r�n�D�z���q���W�����ϥ� DNS �W�٪A�ȡC�p�G�W�٪A�Ȥ��O DNS�A�z3�ӧ�� ip ����r�C

dns ����r�ݭn�����X�� DNS ���W�١C�Y�»P�D��s���v�A�o����w���A�|�y����b���w���ʫ¯١C�Ҧp�A�U�C�B�⦡��M�i�Q���\�A��ä���ij�z�p�����G

dns = "legend.eng";

3�ӨϥΧ����X��W�١A�Ҧp�G

dns = "legend.eng.example.com";

dns ����r���\�U�Φr���C�Ҧp�G

dns = "*.example.com";

�p�G�s��ؿ�Τ�ݦ�b�R�W�����A�h�s���W�h�|�Q�����T�C�o���u���\�q�S�w���i��s��D�`���ΡC�Ъ`�N�A�p�G�t�ΨϥΪ��W�٪A�ȨëD DNS �A�h�U�Φr���N�L�@�ΡC�b�o�ر��p�U�A�p�G�n����s��S�w���A�Шϥ� ip ����r�A�p�u�w�q�ӦۯS�w IP ��}���s��v���ҭz�C

�w�q��S�w�ɶ��Τ�fs��

�i�H�γs���W�h��w�s���u��o�ͦb�@�Ѥ����Y�Ӯɶ��A�Τ@�P�j��Y�@�ѡC�Ҧp�A�i�H�]�w�@��W�h�A�u���\�b�P�d@��P�d����W�� 8 �I��U�� 5 �I�����i��s��C�Ψӵ��s���v�Q���ɶ��O�ؿ��A���W���ɶ��A�ӫD�Τ�ݤW���ɶ��C

�]�w�H�@�Ѥ��Y�@�ɬq����¦���s���W�h�� LDIF �y�k�p�U�G

timeofday operator "time"

�䤤 operator �i���U�C�Ÿ����@�G���� (=)�B������ !=}�B�j�� (>)�B�j��ε��� (>=)�B�p�� <} �Τp��ε��� (<=)�C�H�|��ƪ��24�p�ɮɶ��榡���ɼƻP���� (0 �� 2359)�C�Ҧp�G

�p�G�Τ�ݦb�t�ή�����ܤ��Ȯɪ����@���fs��ؿ�A�h timeofday = "1200"; ���u�C
�b���W 1 �I�H�~���ɶ��s��Atimeofday != "0100"; ���u�C
�q���W 8:01 ��U�� 11:59 �����s��Atimeofday > "0800"; ���u�C
�q���W 8:00 ��U�� 11:59 �����s��Atimeofday > "0800"; ���u�C
�q���W 12:00:00 ��U�� 5:59 �����s��Atimeofday < "1800"; ���u�C

�Ƶ�	��A���W���ɶ��P��eΩ��� timeofday �M dayofweek �s���W�h�A�Ӥ��O�Τ�ݤW���ɶ��C

�]�w�H�@�P�d��Y�Ѭ���¦���s���W�h�� LDIF �y�k�p�U�G

dayofweek = "day1, day2 ..."

dayofweek ����r�i�઺�Ȭ��@�P�d��U�Ѫ��T�ӭ^��r���Y�g�Gsun�Bmon�Btue�Bwed�Bthu�Bfri�Bsat�C��w�z�Q�n�»P�s���v���Ҧ���aA�Ҧp�G

dayofweek = "Mon, Tue, Wed, Thu, Fri";

�p�G�b�C�X���䤤�@�Ӥ�fs��ؿ�A�h�s���W�h���u�C

�w�q�H���Ҥ�k����¦���s��

�i�H�]�w�s���W�h�A���Τ�ݥ����ϥίS�w���Ҥ�k�s����ؿ�C�i�Ϊ����Ҥ�k�p�U�G

None - ���ݭn���ҡC�o�O�w�]�ȡA�N��ΦW�s��C
Simple - �Τ�ݥ������ѨϥΪ̦W�ٻP�K�X�~��s����ؿ�C
SSL - �Τ�ݥ����z�L�w���q�T�ݶ��h (SSL) �ζǿ�h�w���� (TLS) �s�u�~��s����ؿ�C

�Y�O SSL�A�s�u�����إߨ� LDAPS �ĤG�ӳs����F�Y�O TLS�A�s�u�����z�L Start TLS �@�~�إߡC�o��ت��p���������Ѿ��ҡC�p�ݳ]�w SSL ����T�A�аѾ\�� 11 ���u�޲z���ҩM�[�K�v�C

SASL - �Τ�ݥ����z�L�Ҧp DIGEST-MD5 �� GSSAPI ��²�����ҤΦw�����h (SASL) ���~��s����ؿ�C

�z�L�k�z�L [�s���s�边] �]�w�H���Ҭ���¦���s���W�h�C

�]�w�H���Ҥ�k����¦���s���W�h�� LDIF �y�k�p�U�G

authmethod = "authentication_method"

�䤤 authentication_method �O none�Bsimple�Bssl �� sasl sasl_mechanism�C�Ҧp�G

�d��

�U�C�O authmethod ����r���d�ҡG

authmethod = "none"; �s���W�h���v����|�ˬd���ҡC
authmethod = "simple"; �p�G�Τ�ݨϥΨϥΪ̦W�ٻP�K�X�s��ؿ�A�h�s���W�h�����T�C
authmethod = "ssl"; �p�G�Τ�ݨϥγz�L LDAPS �����Ҧs��ؿ�A�h�s���W�h�|�Q�����T�C�p�G�Τ�ݨϥγz�L LDAPS ��²������ (�s�� DN �P�K�X) �i�����ҡA�N���|�����T�C
authmethod = "sasl DIGEST-MD5"; �p�G�Τ�ݨϥ� SASL DIGEST-MD5 ���s��ؿ�A�h�s���W�h�����T�C��L�䴩�� SASL �� EXTERNAL (�Ҧ����x) �M GSSAPI (�ȭ��� Solaris �t��)�C

�ϥΥ��L�s���W�h

�s���W�h�i�H�O�ϥΥ��L�B�⦡ AND�BOR �P NOT ������B�⦡�A�H�]�w�D�`��T���s��W�h�C�z�L�k�ϥ� Server Console �إߥ��L�s���W�h�A�z�����إ� LDIF ���z���C

���L�s���W�h�� LDIF �y�k�p�U�G

bindRule [boolean][bindRule][boolean][bindRule]...;)

�Ҧp�A�p�G�s�� DN �O�t�κ޲z��s�թζl��޲z��s�ժ�����A�ӥB�Τ�ݬO�q example.com ��줺�����A�h�U�C�s���W�h�����T�G

(groupdn = "ldap:///cn=administrators,dc=example,dc=com" or
groupdn = "ldap:///cn=mail administrators,dc=example,dc=com" and
dns = "*.example.com";)

��󵲧3B���8� (;) �O���n���9j�r���A�����X�{�b�̫᪺�s���W�h��C

���L�B�⦡�����Ǧp�U�G

�̤�����̥~�����A���B�⦡�Ĥ@�u��
�Ҧ��B�⦡�ѥ���k
NOT �u��� AND �� OR �B��l

���L OR �P���L AND �B��l�S���u��ǡC

�Ы�ҤU�C���L�s���W�h�G

(bindRule_A) OR (bindRule_B)

(bindRule_B) OR (bindRule_A)

�]�����L�B�⦡�O�ѥ���k���A�ҥH�b�Ĥ@�ӽd�Ҥ��A�|����s���W�h A�A�A���s���W�h B�A�Ӧb�ĤG�ӽd�Ҥ��A�h����s���W�h B�A�A���s���W�h A�C

��O���L NOT �|�b���L OR �P���L AND ���e ���C�]���A�b�U�C�d�Ҥ��G

(bind_rule_A) AND NOT (bind_rule_B)

�|����s���W�h B�A�A���s���W�h A�A�Ӥ��z�|�ѥ���k���W�h�C

---

�q��O��إ� ACI

�z�i�H�ϥ� LDIF ���z����ʫإߦs����O�A�å� ldapmodify ��O�N���̥[�J��z���𪬥ؿ�C�]�� ACI �ȥi��D�`����A�z�̦n�˵�{�����ȡA�M��ƻs�_��0�z�إ߷s���ȡC

�˵� aci �ݩʭ�

�t���x�s ACI �@�����ؤW aci �ݩʪ��@�Φh�ӭȡCaci �ݩʬO�h���Ⱦާ@�ݩʡA�ؿ�ϥΪ̥iŪ��P�ק惡�ݩʡA�Ӧ��ݩʥ������ ACI �O�@�C�޲z�ϥΪ̳q�`�� aci �ݩʾ֦�����s���v�A�ӥB�i�ϥΤU�C�䤤�@�ؤ覡�˵�䤺�e�C

�i�H�b [�зǽs�边] ���˵� aci �ݩʭȡA�N�p�P����L�Ȥ@��C�b Directory Server Console �̤W�h�� [�ؿ�] ���ҤW�A�H�ƹ��k���@�U�� ACI �����ءA�ÿ�� [�H�зǽs�边�s��] �\��?�ءC��O�Aaci �ȳq�`�O��r��A���e��b����ܤ���˵�P�s��C

�]���A�i�H�אּ�b�𪬥ؿ�ؤW��@�U�ƹ��k��A�A��� [�]�w�s���v��] �\��?�إH�Ұ� [�s���s�边]�C��� ACI ���@�U [�s��]�A�A��@�U [��ʽs��]�A�Y�i�˵��3�� aci �ȡC�ǥѦb ACI ����ʻP��ı�ƽs�边�����t��A�i��� aci �Ȫ��y�k�P��պA�C

�p�G�z���@�~�t�Τ��\�A�z�i�H�q [�зǽs�边] �� [��ʦs���s�边] ���ƻs aci �ȡA�ñN���K�J�z�� LDIF �ɮסC�޲z�ϥΪ̤]�i�H���U�C ldapsearch ��O���˵�ت� aci �ݩʡG

ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
             -b entryDN -s base "(objectclass=*)" aci

���ͪ����G�O�z�i�H�K�J�s�� LDIF ACI �w�q�H�i��s�誺 LDIF ��r�C�]�� ACI ���ȬO��r��A�ҥH ldapsearch �ާ@�W����X�i����ܦb�Ʀ�W�A�t���@���s��аO���Ĥ@�ӪŮ�C�ƻs�M�K�W LDIF ��X�ɱN���C�J�Ҽ{�C

�Ƶ�	�Y�n�˵� aci �ȹ�»P�Ωڵ��v���Ҳ��ͪ��v�T�A�аѾ\�u�˵���v�Q�v�C

---

�ϥΥD���x�إ� ACI

�i�H�t�m Directory Server Console �H��ܥؿ���Ƕ��ؾ֦� aci �ݩʡC���Ψ���� [�˵�] > [���] > [ACI �p��] �\���ﶵ�A�i�t�����ܡC�̤W�h [�ؿ�] ���Ҥ����M�涵�ثK�|���[�W�� aci �ݩʤ��w�w�q�� ACI �ƥءA���۱z�i�H�ϥ� Directory Server Console �˵�B�إߡB�s��P�R���ؿ�s����O�C

�p�� Directory Server �w���ʬF�����`�Ϊ��s���W�h���X�A�H�Ψϥ� Directory Server Console �إ߳o�dzW�h���B�J������A�аѾ\�u�s���Ϊk�d�ҡv�C

[�s���s�边] �L�k��z�b [��ı��] �s��Ҧ����غc������ ACI�C�ר�O�A�z�L�k�q [�s���s�边] ���G

�ڵ��s�� (�аѾ\�u�v���y�k�v�v)
�إߥH�Ȭ���¦�� ACI (�аѾ\�u�ϥ� LDAP �z�ﾹ�N�ݩʭȳ]���ؼСv)
�w�q��ئs�� (�аѾ\�u��ئs�� (parent ����r)�v)
�إߥ]�t���L�s���W�h�� ACI (�аѾ\�u�ϥΥ��L�s���W�h�v)
�j�P�W�A�إߨϥΤU�C����r�� ACI�Groledn, userattr, authmethod

����	�b [�s���s�边] ���A�i�H�H�ɫ�@�U [��ʽs��] ��s�A�ˬd�z�L�ϧΤ����Ұ�椧�ܧ� LDIF ��ܪk�C

�˵�ت� ACI

�b Directory Server Console �̤W�h�� [�ؿ�] ���ҤW�A�s��𪬥ؿ�A�H��ܭn�]�w�s�����ءC�����㦳�ؿ�t�κ޲z��Υؿ�޲z���v���~��s�� ACI�C
�H�ƹ��k���@�U���ءA�æb����\��?��� [�]�w�s���v��]�C�Ϊ̡A�H�ƹ������@�U���إH���ءA�A��� [����] �\��?�� [�]�w�s���v��]�C

�X�{�p�U�ϩҥܪ� [�s���޲z] ��ܤ��C�Ϥ��C�X�b����ؤW�w�q���Ҧ� ACI ���y�z�A�åi��z�i��s��A�β�����A�إ߷s���y�z�C

�� 6-2 [�s���޲z] ��ܤ��



��� [����~�Ӫ� ACI] �֨���C�X�Q���ؤ���ةҩw�q���Ҧ� ACI�A�H�ήM�Ψ춵�ت� ACI�C�~�Ӫ� ACI �L�k�Q�s��β����A�z�����b�w�q�� ACI �����ؤW�i��޲z�C

��@�U [�s�W] �b�����Ψ��Ӿ𪬤l�ؿ�W�w�q�s���s���v���C�X�{�p�� 6-3 �ҥܪ� [ACI �s�边]�C

�� 6-3 [ACI �s�边] ��ܤ��

��ܤ��W�誺 ACI �W�٬O�X�{�b [�s���޲z] ��ܤ��� ACI �y�z�C�]���y�z�ʪ� ACI �W�ٷ|�Ͼ�ӥؿ� ACI ���e��޲z�A�ר�b�˵��ؤW�~�Ӫ� ACI �ɡC

[�s���s�边] ���U�Ӽ��ҥi��z��w�Q�»P�Ωڵ��s��ϥΪ̡B�s��ξD����ؼСA�H�ζi���ѼơA�Ҧp���\���D��W�ٻP�@�~�ɬq���C�p����� [�s���] ���Ҥ��ӧO��쪺�ԲӸ�ơA�аѾ\�u�W����C

[ACI �s�边] ���U�Ӽ��Ҭ� ACI �Ȫ����e���ѹϧ���ܡC��@�U [��ʽs��] ��s�i�d�� ACI �ȨåΤ�r�覡�i��s��C�b��r�s�边���A�i�H�w�q�L�k�z�L���ҩw�q���i�� ACI�C��O�@���s�� ACI �Ȥ���A�Y�����ϥζi���\��A���@�˥i��A�]�L�k�H��ı�覡�s�� ACI�C

�إ߷s�� ACI

��� [�s���s�边]�C

���u�@�b�u�˵�ت� ACI�v��������C

�p�G��ܪ��˵�P�� 6-3 ���P�A�Ы�@�U [��ı�ƽs��] ��s�C

�b [ACI �W��] ��r����J�W�١A�� ACI �R�W�C

�W�٥i�H�O���r��A�H�Ω�ߤ@�ѧO�� ACI�C�p�G����J�W�١A��A���|�ϥ� unnamed ACI�C

�b [�ϥΪ�/�s��] ���Ҥ��A�ǥѤϥ���� [�����ϥΪ�]�A�Ϋ�@�U [�[�J] ��s�b�ؿ�j�M�n�[�J���ϥΪ̡A�H���n�»P�s���v���ϥΪ̡C

�b [�[�J�ϥΪ̩M�s��] ���G

�q�U�Ԧ��M�椤���@�ӷj�M�ϰ�A�b [�j�M] ��줤��J�j�M�r��A�A��@�U [�j�M] ��s�C

�j�M���G�|��ܦb�U�誺�M�椤�C

�ϥ���ܷj�M���G�M�椤�z�n�����ءA�A��@�U [�[�J] ��s�N���إ[�J�֦��s���v�������زM�椤�C
��@�U [�T�w] �h�X [�[�J�ϥΪ̩M�s��] ��C

�z����ز{�b�|�C�b ACI �s�边�� [�ϥΪ�/�s��] ���ҤW�C

�b [�s���s�边] ���A��@�U [�v�Q] ���ҡA�A�ϥή֨�����n�»P���v�Q�C
��@�U [�ؼ�] ���ҡA�A��@�U [������] �H��ܧ@�� ACI �ؼЪ��`�I�C

�i�H�ܧ�ؼ� DN ���ȡA��s�� DN �����O���ت������ζ����l���C

�p�G���n�N���`�I�U�𪬤l�ؿ�C�@�Ӷ��س��@�� ACI ���ؼСA�z�����b [�l���ت��z�ﾹ] ��줤��J�z�ﾹ�C

���~�A�i�H�b�ݩʲM�椤���n�@���ؼЪ��ݩʡA�N ACI ���d�򭭨�b�Y���ݩʡC

��@�U [�D��] ���ҡA�A��@�U [�[�J] �H��� [�[�J�D��z�ﾹ] ��ܤ��C

�i�H��w�D��W�٩� IP ��}�C�p�G��w IP ��}�A�h�i�H�ϥθU�Φr�� (*)�C

��@�U [�ɶ�] ���ҥH��ܪ��A�C�X���\�s��ɬq�C

�̹w�]�ȡA�H�ɳ����\�s��C�i�H�b���W��@�U�é즲��СA�H�ܧ�s��ɬq�F�z�L�k��ܤ��s�򪺮ɬq�C

��z�����s�� ACI ��A��@�U [�T�w]�C

�h�X ACI �s�边�A�s�� ACI �|�C�b [ACI �޲z��] ���C

�Ƶ�	�b�إ� ACI �v��A�i�H�H�ɫ�@�U [��ʽs��] �H��ܻP�z����J��3�� LDIF ���z���C�i�H�ק惡���z���A��Ұ����ܧ󥼥��|��ܦb�ϧΤ����W�C

�s�� ACI

�Y�n�s�� ACI�G

�� [�ؿ�] ���ҤW�A�b�𪬤l�ؿ�ݶ��ؤW��@�U�ƹ��k��A�A�ѧ���\��?��� [�]�w�s���v��]�C

��� [�s���޲z��] ��C�ӵ�]�t�ݩ󶵥ت� ACI �M��C

�b [�s���޲z��] ���A�ϥ���ܭn�s�誺 ACI�A�A��@�U [�s��]�C

��� [�s���s�边]�C�p�����i�Φ���ܤ��s���T���ԲӸ�ơA�аѾ\�u�W����C

�b [�s���s�边] ���U�Ӽ��Ҥ��i��z�n���ܧ�C
��z�����s�� ACI ��A��@�U [�T�w]�C

�h�X ACI �s�边�A�Q�ק諸 ACI �|�C�b [ACI �޲z��] ���C

�R�� ACI

�Y�n�R�� ACI�G

�� [�ؿ�] ���ҤW�A�b�𪬤l�ؿ�ݶ��ؤW��@�U�ƹ��k��A�A�ѧ���\��?��� [�]�w�s���v��]�C

��� [�s���޲z��] ��C�ӵ�]�t�ݩ󶵥ت� ACI �M��C

�b [�s���޲z��] ���A���n�R���� ACI�C
��@�U [����]�C

[�s���޲z��] �����A�C�ܸ� ACI�C

---

�s���Ϊk�d��

���`�����d�ұN����@�a�Q���� ISP ���q example.com �p�����s�����C�Ҧ��d�ҳ��|���&p��q�D���x�Ψϥ� LDIF �ɮװ���w���u�@�C

example.com ���~�Ȥ��e�O���Ѻ�N�ުA�Ȥκ�ں��s��Cexample.com ��N�ަ�����A�ȬO�x�s�Τ�ݤ��q���ؿ�C��ڤW�Aexample.com �x�s Company333 �P Company999 �o��a�������q���ؿ�A�ít�d���:޲z�u�@�C�������~�A���]���\�h�ӤH�q�ᴣ�Ѻ�ں��s��C

�H�U�O example.com �Ʊ��檺�s���W�h�G

�N��� example.com �𪬥ؿ�Ū��B�j�M�P���ΦW�s���v���»P�� example.com ��u (�аѾ\�u�»P�ΦW�s��v)�C
�N�g�J�s���v���»P�� example.com ��u�A�H��o homeTelephoneNumber�BhomeAddress �o���ӤH��T (�аѾ\�u���v�i�g�J�s��ӤH���ءv)�C
���v example.com ��u�i�b�䶵�ؤ��[�J��󨤦�A��Y�ǭ��n���Ⱓ�~ (�аѾ\�u����s��n����v)�C
�N People �$䤤���ت��Ҧ��v�Q�»P�� example.com Human Resources �s�� (�аѾ\�u�»P�=X���s�է���s��v)�C
���v�Ҧ� example.com ��u�i�b�ؿ� Social Committee �$�U�إ߸s�ն��ءA�H�Υi�R����֦����s�ն��� (�аѾ\�u�»P�[�J�P�R���s�ն��ت��v�Q�v)�C
���v�Ҧ� example.com ��u�i�N�L�̦ۤv�[�J�ؿ� Social Committee �$�U (�аѾ\�u���\�ϥΪ̦b�s�դ��[�J�β����L�̦ۤv�v)�C
���v Company333 �P Company999 ���ؿ�޲z�� (����) �i�'O�s��𪬥ؿ�U�۪��$�A����a�Y�DZ��A�Ҧp SSL ���ҡB�ɶ��P��m���Ϋ�w��m�� (�аѾ\�u�N��󦡦s��»P�s�թΨ���v)�C
���v�ӧO�q��i�s��L�̦ۤv������ (�аѾ\�u���v�i�g�J�s��ӤH���ءv)�C
�ڵ��ӧO�q��s��L�̦ۤv���ؤ����b���T (�аѾ\�u�ڵ��s��v)�C
���v�����@�ɥi�ΦW�s��ӧO�q��𪬤l�ؿ�A��w�S�O�n�D���C�W���q�ᰣ�~�C(�ؿ�o�ӳ��%i�H�O��󨾤���~�B�C�ѧ�s�@�����q�ݦ�A���C)�аѾ\�u�»P�ΦW�s��v�P�u�ϥοz�ﾹ�]�w�ؼСv�C

�»P�ΦW�s��

�j���%ؿ�B�@�覡�O�z�ܤ֥i�H�ΦW�s��@�ӧ=X�A�i��Ū��B�j�M�Τ��C�Ҧp�A�p�G���@�ӥi�ѭ�u�j�M�����q�H�ƥؿ� (�Ҧp�q��ï)�A�z�N�i��Ʊ�]�w�o���v���Cexample.com �����N�O�o�˪����p�A�o�|�b ACI "Anonymous example.com" �d�Ҥ�����C

�@���@�� ISP�Aexample.com �]�n�إߥi�ѥ��@�ɦs���}�q��ï�A�H���i�Ҧ��q�᪺�p����T�C�o�|�b ACI "Anonymous World"�d�Ҥ��ѻ��C

ACI "Anonymous example.com"

�b LDIF ���A�Y�n�N��� example.com �𪬥ؿ�Ū��B�j�M�P����v���»P example.com ��u�A�м��g�U�C���z���G

aci:(targetattr !="userPassword")(version 3.0; acl "Anonymous
 example"; allow (read, search, compare)
 userdn= "ldap:///anyone" and dns="*.example.com";)

���d�Ұ��]�N aci �[�J�� dc=example,dc=com ���ءC�Ъ`�N�AuserPassword �ݩʤ��b ACI ���d�򤺡C

�i���U�C�@�~�A�q�D���x�]�w���v���G

�� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�W��@�U�ƹ��k��A�A��ܧ��㦡�\��? [�]�w�s���v��] �H��� [�s���޲z��]�C
��@�U [�s�W] ��� [�s���s�边]�C
�b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Anonymous example.com]�C���ˬd [�����ϥΪ�] �w�g��ܦb�»P�s���v�����ϥΪ̲M�椤�C
�b [�v�Q] ���ҤW�A�Ŀ�Ū��B���P�j�M�v�Q���֨���C�нT�{�w�g�M����L���֨���C
�b [�ؼ�] ���ҤW�A��@�U [������]�A�� dc=example,dc=com �=X�b�ؼХؿ����줤��ܡC�b�ݩʪ?��� userPassword �ݩʡA�òM����3���֨���C

3�ӤĿ�Ҧ���L���֨���C�p�G��@�U [�W��] ���Y�A�N�ݩʲM��̦r�6��DZƦC�A�h�o���u�@�|���e��i��C

�b [�D��] ���ҤW��@�U [�[�J]�A�æb DNS �D��z�ﾹ��줤��J *.example.com�C��@�U [�T�w] �h�X��ܤ��C
�b [�s���s�边] ����@�U [�T�w]�C

�N�s�� ACI �[�J�� [�s���޲z��] ���ҦC�ܪ� ACI ���C

ACI "Anonymous World"

�b LDIF ���A�Y�n�N�ӧO�q��𪬤l�ؿ�Ū��P�j�M�s��»P���@�ɡA�P�ɩڵ��s��C�W�q�᪺��T�A�z�i�H���g�U�C���z���G

aci:(targetfilter= "(!(unlistedSubscriber=yes))")
 (targetattr="homePostalAddress || homePhone || mail")
 (version 3.0; acl "Anonymous World"; allow (read, search)
 userdn="ldap:///anyone";)

���d�Ұ��]�N ACI �[�J�� ou=subscribers,dc=example, dc=com ���ءC�ð��]�C�ӭq�ᶵ�س��� unlistedSubscriber �ݩʡA�ӥB�]�� yes �� no�C�ؼЩw�q�|�ھڦ��ݩʭȿz�ﱼ���C�W���q��C�p�����z�ﾹ�w�q���ԲӸ�ơA�аѾ\�u�ϥοz�ﾹ�]�w�ؼСv�C

�i���U�C�@�~�A�q�D���x�]�w���v���G

�� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�U�� [ñ�p��] ���ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���޲z��]�C
��@�U [�s�W] ��� [�s���s�边]�C
�b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Anonymous World]�C���ˬd [�����ϥΪ�] �w�g��ܦb�»P�s���v�����ϥΪ̲M�椤�C
�b [�v�Q] ���ҤW�A�Ŀ�Ū��P�j�M�v�Q���֨���C�нT�{�w�g�M����L���֨���C
�b [�ؼ�] ���ҤW�A��@�U [������]�A�� dc=subscribers, dc=example,dc=com �=X�b�ؼХؿ����줤��ܡC
�b���n������쪺�z�ﾹ���A��J�U�C���G

(!(unlistedSubscriber=yes))

�b�ݩʪ?�A�Ŀ� homePhone�BhomePostalAddress �� mail �ݩʪ��֨���C

3�ӲM���Ҧ���L���֨���C�Y�n��u�@��[�e��A�Ы�@�U [��������] ��s�A�K�|�M����椤�Ҧ��ݩʪ��֨���A�M���@�U [�W��] ���Y�̦r�6��ǥ[�H��´�A�A�������ݩʡC

��@�U�u�T�w�v�C

�N�s�� ACI �[�J�� [�s���޲z��] ���ҦC�ܪ� ACI ���C

���v�i�g�J�s��ӤH����

�\�h�ؿ�޲z��Ʊ椹�\�����ϥΪ��ܧ�L�ۤv���*��ݩʡA��O�����ݩʡCexample.com ���ؿ�޲z��Ʊ椹�\�ϥΪ��ܧ�L�̦ۤv���K�X�B��a�q�ܸ��X�Φ�a�a�}�A�������~�������\�C�o�|�b ACI "Write example.com"�d�Ҥ��ѻ��C

example.com ���F���]���\�q���s example.com �𪬥ؿ�L�̦ۤv���ӤH��T�A�e���O�����P�ؿ�إ� SSL �s�u�C�o�|�b ACI "Write Subscribers"�d�Ҥ��ѻ��C

ACI "Write example.com"

�Ƶ�	�ǥѳ]�w���v���A�z�]�i�H�»P�ϥΪ̧R���ݩʭȪ��v�Q�C

�b LDIF ���A�Y�n���v example.com ��u�i��s��K�X�B��a�q�ܸ��X�Φ�a�a�}�A�м��g�U�C���z���G

aci:(targetattr="userPassword || homePhone ||
 homePostalAddress")(version 3.0; acl "Write example.com";
 allow (write) userdn="ldap:///self" and dns="*.example.com";)

���d�Ұ��]�N ACI �[�J ou=People,dc=example,dc=com ���ءC

�i���U�C�@�~�A�q�D���x�]�w���v���G

�� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� ou=People,dc=example,dc=com ���ؤW��@�U�ƹ��k��A�A��ܧ��㦡�\��? [�]�w�s���v��] �H��� [�s���޲z��]�C
��@�U [�s�W] ��� [�s���s�边]�C
�b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Write example.com]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
���ò��� [�����ϥΪ�]�A�M���@�U [�[�J]�C

��� [�[�J�ϥΪ̩M�s��] ��ܤ��C

�N [�j�M] �ϰ�]�w�� [�S�v]�A�ÿ�� [�j�M] ���G�M�椤�� [�ۨ�]�C
��@�U [�[�J] ��s�A�b�»P�s���v�����ϥΪ̲M�椤�C�� [�ۨ�]�C
��@�U [�T�w] �h�X [�[�J�ϥΪ̩M�s��] ��ܤ��C
�b [�v�Q] ���ҤW�A�Ŀ�g�J�v�Q���֨���C�нT�{�w�g�M����L���֨���C
�b [�ؼ�] ���ҤW�A��@�U [������]�A�b�ؼХؿ����줤��J ou=People,dc=example,dc=com�C�b�ݩʪ?�A�Ŀ� homePhone�BhomePostalAddress �P userPassword �ݩʪ��֨���C

3�ӲM���Ҧ���L���֨���C�Y�n��u�@��[�e��A�Ы�@�U [��������] ��s�A�K�|�M����椤�Ҧ��ݩʪ��֨���A�M���@�U [�W��] ���Y�̦r�6��ǥ[�H��´�A�A�������ݩʡC

�b [�D��] ���ҤW�A��@�U [�[�J] ��� [�[�J�D��z�ﾹ] ��ܤ��C�b DNS �D��z�ﾹ��줤�A��J *.example.com�C��@�U [�T�w] �h�X��ܤ��C
�b [�s���s�边] ����@�U [�T�w]�C

�N�s�� ACI �[�J�� [�s���޲z��] ���ҦC�ܪ� ACI ���C

ACI "Write Subscribers"

�Ƶ�	�ǥѳ]�w���v���A�z�]�i�H�»P�ϥΪ̧R���ݩʭȪ��v�Q�C

�b LDIF ���A�Y�n���v example.com �q��i��s��K�X�P��a�q�ܸ��X�A�м��g�U�C���z���G

aci:(targetattr="userPassword || homePhone")
 (version 3.0; acl "Write Subscribers"; allow (write)
 userdn= "ldap://self" and authmethod="ssl";)

���d�Ұ��]�N aci �[�J�� ou=subscribers,dc=example, dc=com ���ءC

�Ъ`�N�Aexample.com �q�����a�a�}�S���g�J�s��A�]���L�̥i��|�R�����ݩʡA�� example.com �ݭn�o����T�~��B�z�b��C�]���A��a�a�}�O����~�ȸ�T�C

�i���U�C�@�~�A�q�D���x�]�w���v���G

�� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�U�� [ñ�p��] ���ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���޲z��]�C
��@�U [�s�W] ��� [�s���s�边]�C
�b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Write Subscribers]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
���ò��� [�����ϥΪ�]�A�M���@�U [�[�J]�C

��� [�[�J�ϥΪ̩M�s��] ��ܤ��C

�N [�j�M] �ϰ�]�w�� [�S�v]�A�ÿ�� [�j�M] ���G�M�椤�� [�ۨ�]�C
��@�U [�[�J] ��s�A�b�»P�s���v�����ϥΪ̲M�椤�C�� [�ۨ�]�C
��@�U [�T�w] �h�X [�[�J�ϥΪ̩M�s��] ��ܤ��C
�b [�v�Q] ���ҤW�A�Ŀ�n�g�J���֨���C�нT�{�w�g�M����L���֨���C
�b [�ؼ�] ���ҤW�A��@�U [������]�A�� dc=subscribers, dc=example,dc=com �=X�b�ؼХؿ����줤��ܡC
�b���n������쪺�z�ﾹ���A��J�U�C���G

(!(unlistedSubscriber=yes))

�b�ݩʪ?�A�Ŀ� homePhone�BhomePostalAddress �� mail �ݩʪ��֨���C

3�ӲM���Ҧ���L���֨���C�Y�n��u�@��[�e��A�Ы�@�U [��������] ��s�A�K�|�M����椤�Ҧ��ݩʪ��֨���A�M���@�U [�W��] ���Y�̦r�6��ǥ[�H��´�A�A�������ݩʡC

�p�G�Ʊ�ϥΪ̨ϥ� SSL �i�����ҡA�Ы�@�U [��ʽs��] ��s�H�t����ʽs��Ҧ��A�ñN authmethod=ssl �[�J LDIF ���z���A�Ϩ�p�U�G

(targetattr="homePostalAddress || homePhone || mail")
 (version 3.0; acl "Write Subscribers"; allow (write)
 (userdn= "ldap:///self") and authmethod="ssl";)

�Ъ`�N�o�O�@�Ӥ3ΥH�K��Ū��s���C

��@�U�u�T�w�v�C

�N�s�� ACI �[�J�� [�s���޲z��] ���ҦC�ܪ� ACI ���C

����s��n����

�i�H�b�ؿ�ϥΨ���w�q�A�H�ѧO��~�ȡB���P�ؿ�޲z�Ψ�L�γ~�㦳����v�T���\��C

�Ҧp�A�z�i�H�إߤ@�� superAdmin ����A���ѧO���q���y�U�a������A��S�w��nɶ��i���ѪA�Ȫ��t�κ޲z��l���C�Ϊ̡A�i�H�إߤ@�� First Aid ����A�]�t�S�w��W�w������ϰV�m���Ҧ��u�@�H��C�p�����إߨ���w�q����T�A�аѾ\�u���v�C

�?��|�ﭫ�n�����q�η~�ȥ\���P���S�?�ϥΪ��v���ɡA3�ӦҼ{����s��Ө���C�Ҧp�A�b example.com ���A��u�i�H�b�L�̦ۤv�����ؤ��[�J��󨤦�A�� superAdmin ���Ⱓ�~�C�o�|�b ACI "Roles"�d�Ҥ��ѻ��C

ACI "Roles"

�b LDIF ���A�Y�n���v example.com ��u�i�b�L�̦ۤv�����ؤ��[�J superAdmin ����H�~����󨤦�A�м��g�U�C���z���G

aci:(targetattr="*") (targattrfilters="add=nsRoleDN:
 (nsRoleDN !="cn=superAdmin, dc=example, dc=com")")
 (version 3.0; acl "Roles"; allow (write)
 userdn= "ldap:///self" and dns="*.example.com";)

���d�Ұ��]�N ACI �[�J ou=People,dc=example, dc=com ���ءC

�i���U�C�@�~�A�q�D���x�]�w���v���G

�� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�W��@�U�ƹ��k��A�A��ܧ��㦡�\��? [�]�w�s���v��] �H��� [�s���޲z��]�C
��@�U [�s�W] ��� [�s���s�边]�C
�b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Roles]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
���ò��� [�����ϥΪ�]�A�M���@�U [�[�J]�C

��� [�[�J�ϥΪ̩M�s��] ��ܤ��C

�N [�[�J�ϥΪ̩M�s��] ��ܤ��� [�j�M] �ϰ�]�w�� [�S�v]�A�ÿ�� [�j�M] ���G�M�椤�� [�ۨ�]�C
��@�U [�[�J] ��s�A�b�»P�s���v�����ϥΪ̲M�椤�C�� [�ۨ�]�C
��@�U [�T�w] �h�X [�[�J�ϥΪ̩M�s��] ��ܤ��C
�b [�v�Q] ���ҤW�A�Ŀ�n�g�J���֨���C�нT�{�w�g�M����L���֨���C
�b [�D��] ���ҤW�A��@�U [�[�J] ��� [�[�J�D��z�ﾹ] ��ܤ��C�b DNS �D��z�ﾹ��줤�A��J *.example.com�C��@�U [�T�w] �h�X��ܤ��C
�Y�n������إߥH�Ȭ���¦���z�ﾹ�A�Ы�@�U [��ʽs��] ��s�H�t����ʽs��Ҧ��C�N�U�C�[�J LDIF ���z�����}�Y�G

(targattrfilters="add=nsRoleDN:
 (nsRoleDN != "cn=superAdmin, dc=example,dc=com")")

LDIF ���z��3�Ӧp�U�G

(targetattr="*") (targattrfilters="add=nsRoleDN:
 (nsRoleDN != "cn=superAdmin, dc=example,dc=com")")
 (target = "ldap:///dc=example,dc=com")
 (version 3.0; acl "Roles"; allow (write)
 (userdn = "ldap:///self") and (dns="*.example.com");)

��@�U�u�T�w�v�C

�N�s�� ACI �[�J�� [�s���޲z��] ���ҦC�ܪ� ACI ���C

�»P�=X���s�է���s��

�j���%ؿ�|���@�Ӹs�եΨ��ѧO�Y�Ǥ��q�\��C�o�Ǹs�եi��o�ؿ�����γ��*�����s���v�C�ǥѦb�s�դW�M�Φs���v�Q�A�z�i�H�קK���C�Ӧ���ӧO�]�w�s���v�Q�F�u�n�N�ϥΪ̥[�J�s�աA�Y�i²��a�N�o�Ǧs���v�Q�»P�ϥΪ̡C

�Ҧp�A�ϥ� [�@��w��] �B�z�Ǧw�� Directory Server �ɡA�K�|�w�]�إߤ@�ӹ�ؿ�֦�����s�� Administrators �s�աC

�b example.com ���AHuman Resources �s�եi����s��ؿ� ou=People �$�A�ϥL�̯���s��u�ؿ�C�o�|�b ACI "HR"�d�Ҥ��ѻ��C

ACI "HR"

�b LDIF ���A�Y�n�N�ؿ� employee �$䪺�����v�Q�»P HR �s�աA�ШϥΤU�C���z���G

aci:(targetattr="*") (version 3.0; acl "HR"; allow (all)
 userdn= "ldap:///cn=HRgroup,ou=People,dc=example,dc=com";)

���d�Ұ��]�N ACI �[�J ou=People,dc=example,dc=com ���ءC

�i���U�C�@�~�A�q�D���x�]�w���v���G

�� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�U�� example.com-people ���ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���޲z��]�C
��@�U [�s�W] ��� [�s���s�边]�C
�b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [HR]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
���ò��� [�����ϥΪ�]�A�M���@�U [�[�J]�C

��� [�[�J�ϥΪ̩M�s��] ��ܤ��C

�N [�j�M] �ϰ�]�� [�ϥΪ̻P�s��]�A�æb [�j�M] ��줤��J [Hrgroup]�C

���d�Ұ��]�z�w�إ� HR �s�թΨ���C�p�����s�ջP���⪺�ԲӸ�T�A�аѾ\�� 5 ���u�޲z����M����v�C

��@�U [�[�J] ��s�A�N HR �s�զC�b�Q�»P�s���v�����ϥΪ̲M�椤�C
��@�U [�T�w] �h�X [�[�J�ϥΪ̩M�s��] ��ܤ��C
�b [�v�Q] ���ҤW�A��@�U [����] ��s�C

���F�N�z�v�Q�~�A3�ӤĿ�Ҧ��֨���C

��@�U�u�T�w�v�C

�N�s�� ACI �[�J�� [�s���޲z��] ���ҦC�ܪ� ACI ���C

�»P�[�J�P�R���s�ն��ت��v�Q

�p�G�i�����u�@�IJv�A�μW�i���q�ʤO�A���Dz�´�|�Ʊ椹�\��u�b�𪬥ؿ�إ߶��ءC

�H example.com ���ҡA���q���@�Ӭ��D���%�e��|�A���e��|��´���X�Ӫ9ΡG��y�!B��a�!B�Ƴ��!B�t�*5��C��� example.com ��u���i�H�إߥN��s�9Ϊ��s�ն��ءC�o�|�b ACI "Create Group"�d�Ҥ��ѻ��C��� example.com ��u���i�H�����o�Ǹs�ժ�����C�o�|�b�u���\�ϥΪ̦b�s�դ��[�J�β����L�̦ۤv�U�� ACI "Group Members"�d�Ҥ��ѻ��C�u���s�վ֦��̥i�ק�ΧR���s�ն��ءC�o�|�b ACI "Delete Group"�d�Ҥ��ѻ��C

ACI "Create Group"

�b LDIF ���A�Y�n���v example.com ��u�i�b ou=Social Committee �$�U�إ߸s�ն��ءA�м��g�U�C���z���G

aci:(target="ldap:///ou=social committee,dc=example,dc=com")
 (targetattr="*")(targattrfilters="add=objectClass:
 (|(objectClass=groupOfNames)(objectClass=top))")
 (version 3.0; acl "Create Group"; allow (read,search,add)
 userdn= "ldap:///uid=*,ou=People,dc=example,dc=com")
 and dns="*.example.com";)

�Ƶ�	�� ACI ���»P�g�J�v���A�]�N�O���ثإߪ̵L�k�קﶵ�ءC �]����A�����K�a�[�J�ȡutop�v�A�z�����b targattrfilters ����r����w objectclass=top�C

���d�Ұ��]�N ACI �[�J�� ou=social committee, dc=example,dc=com ���ءC

�i���U�C�@�~�A�q�D���x�]�w���v���G

�� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�U�� Social Committee ���ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���޲z��]�C
��@�U [�s�W] ��� [�s���s�边]�C
�b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Create Group]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
���ò��� [�����ϥΪ�]�A�M���@�U [�[�J]�C

��� [�[�J�ϥΪ̩M�s��] ��ܤ��C

�N [�j�M] �ϰ�]�w�� [�S�v]�A�ÿ�� [�j�M] ���G�M�椤�� [�Ҧ��w���Ҫ��ϥΪ�]�C
��@�U [�[�J] ��s�A�� [�Ҧ��w���Ҫ��ϥΪ�] �b�»P�s���v�����ϥΪ̲M�椤�C�X�C
��@�U [�T�w] �h�X [�[�J�ϥΪ̩M�s��] ��ܤ��C
�b [�v�Q] ���ҤW�A�Ŀ�Ū��B�j�M�P�[�J���֨���C�нT�{�w�g�M����L���֨���C
�b [�ؼ�] ���ҤW�A��@�U [������]�A�� ou=social committee, dc=example,dc=com �=X�b�ؼХؿ����줤��ܡC
�b [�D��] ���ҤW�A��@�U [�[�J] ��� [�[�J�D��z�ﾹ] ��ܤ��C�b DNS �D��z�ﾹ��줤�A��J *.example.com�C��@�U [�T�w] �h�X��ܤ��C
�Y�n�إߥH�Ȭ���¦���z�ﾹ�A���u�u��b���𪬤l�ؿ�[�J�s�ն��ءA�Ы�@�U [��ʽs��] ��s�H�t����ʽs��Ҧ��C�N�U�C�[�J LDIF ���z�����}�Y�G

(targattrfilters="add=objectClass:(objectClass=groupOfNames)
 |(objectClass=top)")

LDIF ���z��3�Ӧp�U�G

(targetattr = "*") (targattrfilters="add=objectClass:(objectClass=groupOfNames)
 |(objectClass=top)") (target="ldap:///ou=social  committee,dc=example,dc=com) (version 3.0; acl "Create Group";
 allow (read,search,add) (userdn= "ldap:///all") and
 (dns="*.example.com"); )

��@�U�u�T�w�v�C

�N�s�� ACI �[�J�� [�s���޲z��] ���ҦC�ܪ� ACI ���C

ACI "Delete Group"

�b LDIF ���A�Y�n���v example.com ��u�i�ק�ΧR�� ou=Social Committee �$�U�L�̩Ҿ֦����s�ն��ءA�м��g�U�C���z���G

aci:(target="ou=social committee,dc=example,dc=com)
 (targetattr = "*")
 (targattrfilters="del=objectClass:(objectClass=groupOfNames)")
 (version 3.0; acl "Delete Group"; allow (write,delete)
 userattr="owner#GROUPDN";)

���d�Ұ��]�N aci �[�J�� ou=social committee, dc=example,dc=com ���ءC

�إߦ� ACI �ɡA�ϥΥD���x�ä��O���Ĥ�k�A�]���z�N�����ϥΤ�ʽs��Ҧ��إߥؼпz�ﾹ�A���ˬd�s�վ֦��v�C

�N��󦡦s��»P�s�թΨ���

�b�\�h���p���A��z�N�ؿ�s���v���»P�s�թΨ���ɡA�z�Ʊ�T�{�o���v�����O�@�A���|��I�J�̫_�γQ���v���ϥΪ̡C�]���A�b�\�h���p���A�N���n�s���v�»P���s�թΨ��⪺�s���W�h�������a�\�h���C

�|�Ҩӻ��Aexample.com �w�����N�ު� Company333 �P Company999 ��a���q�U�إߤ@�ӥؿ�޲z���C���Ʊ�o�Ǥ��q���޲z���̦ۤv����ơA�ð�楦�̦ۤv���s���W�h�A�P�ɤS��T�O����I�J�̤z�Z�C���o�ӭ�]�ACompany333 �P Company999 ��𪬥ؿ�U�۪��$�֦������v�Q�A��ŦX�U�C���G

�ϥγz�L SSL �����ҳq�L���Ҫ��s�u
�n�D�b�P�d@��P�e|�W�� 8 �I��U�� 6 �I�����s��A�B
�n�D�q�C�a���q��w�� IP ��}�s��C

�o�DZ��C�b�C�a���q����@ ACI ���A�'O�O ACI "Company333" �P ACI "Company999"�C�]���o��� ACI �����e�ۦP�A�U�C�d�Ҷȸѻ� "Company333" ACI�C

ACI "Company333"

�b LDIF ���A�Y�n���v Company333 �i�b�W�z���U����s��ؿ�̦ۤv���$�A�м��g�U�C���z���G

aci:(target="ou=Company333,ou=corporate-clients,dc=example,dc=com")
 (targetattr = "*") (version 3.0; acl "Company333"; allow (all)
 (roledn="ldap:///cn=DirectoryAdmin,ou=Company333,
 ou=corporate-clients,dc=example,dc=com") and (authmethod="ssl")
 and (dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and
 timeofday <= "1800") and (ip="255.255.123.234"); )

���d�Ұ��]�N ACI �[�J�� ou=Company333, ou=corporate-clients,dc=example,dc=com ���ءC

�i���U�C�@�~�A�q�D���x�]�w���v���G

�� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�U�� Company333 ���ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���޲z��]�C
��@�U [�s�W] ��� [�s���s�边]�C
�b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Company333]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
���ò��� [�����ϥΪ�]�A�M���@�U [�[�J]�C

��� [�[�J�ϥΪ̩M�s��] ��ܤ��C

�N [�j�M] �ϰ�]�� [�ϥΪ̻P�s��]�A�æb [�j�M] ��줤��J [DirectoryAdmin]�C

���d�Ұ��]�z�w�� DirectoryAdmin �� cn �إߤ@�Өt�κ޲z���C

��@�U [�[�J] ��s�A�N�t�κ޲z���C�b�Q�»P�s���v�����ϥΪ̲M�椤�C
��@�U [�T�w] �h�X [�[�J�ϥΪ̩M�s��] ��ܤ��C
�b [�v�Q] ���ҤW�A��@�U [����] ��s�C
�b [�ؼ�] ���ҤW�A��@�U [������]�A�� ou=Company333,ou=corporate-clients,dc=example,dc=com �=X�b�ؼХؿ����줤��ܡC
�b [�D��] ���ҤW�A��@�U [�[�J] ��� [�[�J�D��z�ﾹ] ��ܤ��C�b [IP ��}�D��z�ﾹ] ��줤��J 255.255.123.234�C��@�U [�T�w] �h�X��ܤ��C

IP ��}�����O�D��q���W���Ī� IP ��}�ACompany333 �t�κ޲z��ϥΦ���}�s�u�� example.com �ؿ�C

�b [�ɶ�] ���ҤW�A��ܹ�3��P�d@��P�e|�H�ΤW�� 8 �I��U�� 6 �I���ɬq�C

���U��|�X�{�T���A��w�z�w���ɬq�C

�Y�n��Ӧ� Company333 �t�κ޲z��s�u�j���� SSL ���ҡA�Ы�@�U [��ʽs��] ��s�H�t����ʽs��Ҧ��C�N�U�C�[�J LDIF ���z�����=X�G

and (authmethod="ssl")

LDIF ���z��3����G

aci:(targetattr = "*")(target="ou=Company333,
 ou=corporate-clients,dc=example,dc=com") (version 3.0; acl
 "Company333"; allow (all) (roledn="ldap:///cn=DirectoryAdmin,
 ou=Company333,ou=corporate-clients, dc=example,dc=com") and
 (dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and
 timeofday <= "1800") and (ip="255.255.123.234") and
 (authmethod="ssl"); )

��@�U�u�T�w�v�C

�N�s�� ACI �[�J�� [�s���޲z��] ���ҦC�ܪ� ACI ���C

�ڵ��s��

�p�G�ؿ��x�s����~�ȸ�T�A�z�i��Ʊ�S�O�a�ڵ���s��C

�Ҧp�Aexample.com �Ʊ�Ҧ��q����d�ݨ䶵�ؤU���b���T (�p�s�u�ɶ��αb��l�B)�A���T�ڵ��g�J�s��Ӹ�T�C�o�|�'O�b ACI "Billing Info Read"�P ACI "Billing Info Deny"���ѻ��C

ACI "Billing Info Read"

�b LDIF ���A�Y�n���v�q��iŪ��L�̦ۤv���ؤ����b���T�A�м��g�U�C���z���G

aci:(targetattr="connectionTime || accountBalance")
 (version 3.0; acl "Billing Info Read"; allow (search,read)
 userdn="ldap:///self";)

���d�Ұ��]�w�g�b���c���إ߬����ݩʡA�ӥB�N ACI �[�J�� ou=subscribers,dc=example,dc=com ���ءC

�i���U�C�@�~�A�q�D���x�]�w���v���G

�� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�Uñ�p�̶��ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���޲z��]�C
��@�U [�s�W] ��� [�s���s�边]�C
�b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Billing Info Read]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
���ò��� [�����ϥΪ�]�A�M���@�U [�[�J]�C

��� [�[�J�ϥΪ̩M�s��] ��ܤ��C

�N [�[�J�ϥΪ̩M�s��] ��ܤ��� [�j�M] �ϰ�]�w�� [�S�v]�A�ÿ�� [�j�M] ���G�M�椤�� [�ۨ�]�C
��@�U [�[�J] ��s�A�b�»P�s���v�����ϥΪ̲M�椤�C�� [�ۨ�]�C
��@�U [�T�w] �h�X [�[�J�ϥΪ̩M�s��] ��ܤ��C
�b [�v�Q] ���ҤW�A�Ŀ�j�M�PŪ���v�Q���֨���C�нT�{�w�g�M����L���֨���C
�b [�ؼ�] ���ҤW�A��@�U [������]�A�� ou=subscribers, dc=example,dc=com �=X�b�ؼХؿ����줤��� �C�b�ݩʪ?�A�Ŀ� connectionTime �M accountBalance �ݩʪ��֨���C

3�ӲM���Ҧ���L���֨���C�Y�n��u�@��[�e��A�Ы�@�U [��������] ��s�A�K�|�M����椤�Ҧ��ݩʪ��֨���A�M���@�U [�W��] ���Y�̦r�6��ǥ[�H��´�A�A�������ݩʡC

���d�Ұ��]�z�w�g�N connectionTime �M accountBalance �ݩʥ[�J�ܵ��c�C

��@�U�u�T�w�v�C

�N�s�� ACI �[�J�� [�s���޲z��] ���ҦC�ܪ� ACI ���C

ACI "Billing Info Deny"

�b LDIF ���A�Y�n�ڵ��q��i�ק�L�̦ۤv���ؤ��b���T���v���A�м��g�U�C���z���G

aci:(targetattr="connectionTime || accountBalance")
 (version 3.0; acl "Billing Info Deny";
 deny (write) userdn="ldap:///self";)

���d�Ұ��]�w�g�b���c���إ߬����ݩʡA�ӥB�N ACI �[�J�� ou=subscribers,dc=example,dc=com ���ءC

�i���U�C�@�~�A�q�D���x�]�w���v���G

�� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�Uñ�p�̶��ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���޲z��]�C
��@�U [�s�W] ��� [�s���s�边]�C
�b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Billing Info Deny]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
���ò��� [�����ϥΪ�]�A�M���@�U [�[�J]�C

��� [�[�J�ϥΪ̩M�s��] ��ܤ��C

�N [�[�J�ϥΪ̩M�s��] ��ܤ��� [�j�M] �ϰ�]�w�� [�S�v]�A�ÿ�� [�j�M] ���G�M�椤�� [�ۨ�]�C
��@�U [�[�J] ��s�A�b�»P�s���v�����ϥΪ̲M�椤�C�� [�ۨ�]�C
��@�U [�T�w] �h�X [�[�J�ϥΪ̩M�s��] ��ܤ��C
�b [�v�Q] ���ҤW�A�Ŀ�n�g�J���֨���C�нT�{�w�g�M����L���֨���C
��@�U [��ʽs��] ��s�A�æb��ܪ� LDIF ���z�����A�N allow �ܧ� deny�C
�b [�ؼ�] ���ҤW�A��@�U [������]�A�� ou=subscribers, dc=example,dc=com �=X�b�ؼХؿ����줤��� �C�b�ݩʪ?�A�Ŀ� connectionTime �M accountBalance �ݩʪ��֨���C

3�ӲM���Ҧ���L���֨���C�Y�n��u�@��[�e��A�Ы�@�U [��������] ��s�A�K�|�M����椤�Ҧ��ݩʪ��֨���A�M���@�U [�W��] ���Y�̦r�6��ǥ[�H��´�A�A�������ݩʡC

���d�Ұ��]�z�w�g�N connectionTime �M accountBalance �ݩʥ[�J�ܵ��c�C

��@�U�u�T�w�v�C

�N�s�� ACI �[�J�� [�s���޲z��] ���ҦC�ܪ� ACI ���C

�ϥοz�ﾹ�]�w�ؼ�

�p�G�n�]�w�s���A�H���\�s��G�ؿ�U�B���\�h���ءA�z�i��Ʊ�ϥοz�ﾹ�ӳ]�w�ؼСC�аO��A�]���j�M�z�ﾹ��������w�z�n�޲z�s����W�١A�ҥH�ܮe��p�ߤ��\�Ωڵ��s���~������A�ר��ؿ��ܱo�V����ɶV�M�I�C���~�A�z�ﾹ�i����z���e�����Ƹѥؿ�o�ͪ��s�����D�C

���\�ϥΪ̦b�s�դ��[�J�β����L�̦ۤv

�\�h�ؿ�|�]�w ACI�A�H���\�ϥΪ̦b�s�դ��[�J�β����L�̦ۤv�C�|�Ҩӻ��A�o��󤹳\�ϥΪ̦b�l��M�椤�[�J�β����L�̦ۤv�Ө��O�D�`���ΡC

�b example.com ���A��u�i�H�N�L�̦ۤv�[�J�� ou=social committee �𪬤l�ؿ�U�����s�ն��ؤ��C�o�|�b ACI "Group Members"�d�Ҥ��ѻ��C

ACI "Group Members"

�b LDIF ���A�Y�n���v example.com ��u�i�b�s�դ��[�J�ΧR���L�̦ۤv�A�м��g�U�C���z���G

aci:(targettattr="member")(version 3.0; acl "Group Members";
 allow (selfwrite)
 (userdn= "ldap:///uid=*,ou=People,dc=example,dc=com") ;)

���d�Ұ��]�N ACI �[�J�� ou=social committee, dc=example,dc=com ���ءC

�i���U�C�@�~�A�q�D���x�]�w���v���G

�� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�U�� People ���ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���޲z��]�C
��@�U [�s�W] ��� [�s���s�边]�C
�b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Group Members]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
���ò��� [�����ϥΪ�]�A�M���@�U [�[�J]�C

��� [�[�J�ϥΪ̩M�s��] ��ܤ��C

�N [�[�J�ϥΪ̩M�s��] ��ܤ��� [�j�M] �ϰ�]�w�� [�S�v]�A�ÿ�� [�j�M] ���G�M�椤�� [�Ҧ��w���Ҫ��ϥΪ�]�C
��@�U [�[�J] ��s�A�� [�Ҧ��w���Ҫ��ϥΪ�] �b�»P�s���v�����ϥΪ̲M�椤�C�X�C
��@�U [�T�w] �h�X [�[�J�ϥΪ̩M�s��] ��ܤ��C
�b [�v�Q] ���ҤW�A�Ŀ�ۼg���֨���C�нT�{�w�g�M����L���֨���C
�b [�ؼ�] ���ҤW�A�b�ؼХؿ����줤��J dc=example,dc=com �=X�C�b�ݩʪ?�A�Ŀ� member �ݩʪ��֨���C

3�ӲM���Ҧ���L���֨���C�Y�n��u�@��[�e��A�Ы�@�U [��������] ��s�A�K�|�M����椤�Ҧ��ݩʪ��֨���A�M���@�U [�W��] ���Y�̦r�6��ǥ[�H��´�A�A�������ݩʡC

��@�U�u�T�w�v�C

�N�s�� ACI �[�J�� [�s���޲z��] ���ҦC�ܪ� ACI ���C

�w�q�t���r���� DN ���v��

�]�t�r���� DN �b�z�� LDIF ACI ���z�����ݭn�S�O�B�z�C�b ACI ���z�����ؼлP�s���W�h���$��A�r�������H�@�Ӥϱ׽u (\) �������C�U�C�d�Ҹѻ����y�k�G

dn:o=example.com Bolivia\, S.A.
objectClass:top
objectClass:organization
aci:(target="ldap:///o=example.com Bolivia\,S.A.")
 (targetattr="*") (version 3.0; acl "aci 2"; allow (all)
 groupdn = "ldap:///cn=Directory Administrators,
 o=example.com Bolivia\, S.A.";)

�N�z���� ACI �d��

�N�z���Ҥ�k�O�@�دS��Φ������ҡG�ϥΦۤv������s����ؿ�ϥΪ̷|�z�L�N�z������o��L�ϥΪ̪��v�Q�C

���d�Ұ��]�G

�Τ��3�ε{�����s�� DN �O uid=MoneyWizAcctSoftware, ou=Applications,dc=example,dc=com�C
�Τ��3�ε{���n�D�s��ؼо𪬤l�ؿ�O ou=Accounting,dc=example,dc=com�C
�֦��s���v���� Accounting �޲z��w�g�s�b��ؿ� ou=Accounting,dc=example,dc=com �𪬤l�ؿ�C

���F��Τ��3�ε{�����s�� Accounting �𪬤l�ؿ� (�ϥλP Accounting �޲z��ۦP���s���v��)�G

Accounting �޲z���� ou=Accounting,dc=example,dc=com �𪬤l�ؿ�֦��s���v���C�Ҧp�A�U�C ACI �|�N�Ҧ��v�Q�»P Accounting �޲z��ءG

aci:(target="ldap:///ou=Accounting,dc=example,dc=com")
 (targetattr="*") (version 3.0; acl "allowAll-AcctAdmin"; allow
 (all) userdn="ldap:///dn:uid=AcctAdministrator,ou=Administrators,
 dc=example,dc=com";)

�ؿ�����U�C�N�N�z�v�Q�»P�Τ��3�ε{���� ACI�G

aci:(target="ldap:///ou=Accounting,dc=example,dc=com")
 (targetattr="*") (version 3.0; acl "allowproxy-
 accountingsoftware"; allow (proxy) userdn=
 "ldap:///dn:uid=MoneyWizAcctSoftware,ou=Applications,
 dc=example,dc=com";)

�]�w�� ACI ��AMoneyWizAcctSoftware �Τ��3�ε{���i�s����ؿ�A�öǰe ldapsearch �� ldapmodify �o�@���ݭn�N�z DN ���s���v�Q�� LDAP ��O�C

�b�H�W�d�Ҥ��A�p�G�Τ�ݧƱ��� ldapsearch ��O�A�ӫ�O�|�]�t�U�C����G

ldapsearch \
-D "uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com" \
-w password\
-y "uid=AcctAdministrator,ou=Administrators,dc=example,dc=com"\ ...

�Ъ`�N�A�Τ�ݥH�����s���A����o�N�z���ت��v���C�Τ�ݤ��ݭn�N�z���ت��K�X�C

�Ƶ�	�z����ϥΥؿ�޲z�� DN �����N�z DN�A�]����N�N�z�v�Q�»P�ؿ�޲z��C���Ȧp���A�p�G Directory Server �b�P�@�ӳs���@�~������h�ӥN�z���ұ���A�K�|�Ǧ^��~���Τ��3�ε{���A�ӥB�s���xդ��|���\�C

---

�˵���v�Q

���@�ؿ�ت��s���ɡA�Y���D�z�w�q�� ACI ��w���ʦ���v�T�O���Ϊ��CDirectory Server �i��z���{�� ACI�A�æ^��b��w���ؤW�»P��w�ϥΪ̪������v�Q�C

Directory Server �^3�i��]�t�b�j�M�@�~�� [��o�����v�Q] ����C��������^3�O�b�j�M���G���Ǧ^����ػP�ݩʪ������v�Q��T�C�o���B�~����T�]�A�C�Ӷ��ةM�C�Ӷ��ؤ��C���ݩʪ��g�J�v���C�t�κ޲z��i�n�D�j�M�ҥγs�� DN �Υ�N DN ���v���A��t�κ޲z�����եؿ�ϥΪ̪��v���C

�p��	�˵���v�Q�����O�ؿ�@�~�A3�Ө��O�@�ð��A�?����C�Ь� aclRights �P aclRightsInfo �ݩʫإ߶i�@�B�� ACI�A�H����ؿ�ϥΪ̹�o����T���s��C

�����v�Q�\��ݭn�̾a LDAP ����C�Y�n�˵��챵�=X�������v�Q�A�z�����b�챵�������ҥΦ�����A�p�u�t�m�챵�����v���ҭz�C�z�]�����T�O�Ψӳs�����ݦ�A�����N�z����]���\�s����v�Q�ݩʡC

�ϥΨ�o�����v�Q���

�ϥ� ldapsearch ��O�P -J "1.3.6.1.4.1.42.2.27.9.5.2" �ﶵ�H��w [��o�����v�Q] ����C�̹w�]�ȡA����N�b�j�M���G���Ǧ^���ػP�ݩʤW�s�� DN ���ت������v�Q�C�ШϥΤU�C�ﶵ�ܧ�w�]���欰�G

-c "dn:DN" - �j�M���G�|��ܥΫ�w DN �s�����ϥΪ̪������v�Q�C���ﶵ���\�޲z���ˬd�t�@�ӨϥΪ̪������v�Q�C�ﶵ -c "dn:"�N��ܰΦW���Ҫ������v�Q�C
-X "attributeName ..." - �j�M���G�]�|�]�t��W�ݩʪ������v�Q�C�ШϥΦ��ﶵ��w���X�{�b�j�M���G�����ݩʡC�Ҧp�A�ϥΦ��ﶵ�M�w�ϥΪ̬O�_���v���[�J�ثe���s�b���ؤ����ݩʡC

�Y�ϥ� -c �P -X �ݩʤ���@���A�ΦP�ɨϥΨ�̮ɡA�h�t�� [��o�����v�Q] ����� OID �㦳 -J �ﶵ�A�]�����ݭn��w�C�p�G�z��w�����v�Q����� NULL �ȡA�h�^��ثe�ϥΪ̪��v���M�H�ثe ldapsearch �ާ@�Ǧ^���ݩʻP���ت��v���C

���۱z������ܭn�˵��T�����A�i��O²���v�Q�A�άO���&p��»P�Ωڵ��o���v�Q���ԲӰO���T�C��T�������'O�ѥ[�J aclRights �� aclRightsInfo �ӨM�w�A�@���j�M���G���Ǧ^���ݩʡC�i�H�n�D����ݩʳ�������������v�Q��T�A��M²���v�Q����T�|�b�ԲӰO���T��������ܡC

�Ƶ�	aclRights �P aclRightsInfo �ݩʾ֦����'@�~�ݩʪ��欰�C���̤��s�b�ؿ�A�ӥB���D��T�n�D�A�_�h�]���|�Ǧ^�C�o���ݩʬO Directory Server �b�^3 [��o�����v�Q] ����ɩҲ��ͪ��C ���o�ӭ�]�A�o����ݩʳ�����Ω�z�ﾹ�Υ��������j�M�@�~�C

�����v�Q�\���~�Ө�L�ѼơA�ӳo�ǰѼƷ|�v�T�Ӧ۱Ұʷj�M�@�~���ϥΪ̤��s��� (�Ҧp���Ҥ�k�B���}�M�W��)�C

�U�C�d�ҥܽd�ϥΪ̦p���˵�L�b�ؿ��v�Q�C�b���G���A1 ��ܱ»P�v���A0 ��ܩڵ��v���G

ldapsearch -J "1.3.6.1.4.1.42.2.27.9.5.2" \
           -h rousseau.example.com -p 389 \
           -D "uid=cfuente,ou=People,dc=example,dc=com" \
           -w password -b "dc=example,dc=com" \
           "(objectclass=*)" aclRights

dn:dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

dn:ou=Groups, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

dn:ou=People, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

dn:cn=Accounting Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

dn:cn=HR Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

dn:uid=bjensen,ou=People, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

dn:uid=cfuente, ou=People, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:1,proxy:0

�����G�i�D Carla Fuente�A�o�b�ؿ�ܤ־֦�Ū��s���ءA�H�Φo�i�H�ק�o�ۤv�����ءC�����v�Q������|��L���`���s���v���A�ҥH�ϥΪ̵����|�ݨ�L�S��Ū���v�������ءC�b�U�C�d�Ҥ��A�ؿ�޲z��i�H�ݨ� Carla Fuente �S��Ū���v�������ءG

ldapsearch -h rousseau.example.com -p 389 \
           -D "cn=Directory Manager" -w password \
           -c "dn:uid=cfuente,ou=People,dc=example,dc=com" \
           -b "dc=example,dc=com" \
           "(objectclass=*)" aclRights

dn:dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

dn:ou=Groups, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

dn:cn=Directory Administrators, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:0,write:0,proxy:0

dn:ou=Special Users,dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:0,write:0,proxy:0

dn:ou=People, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

dn:cn=Accounting Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

dn:cn=HR Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

dn:uid=bjensen,ou=People, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

dn:uid=cfuente, ou=People, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:1,proxy:0

�b�H�W��X���A�ؿ�޲z��i�H�ݨ� Carla Fuente �J�L�k�˵�S�?�ϥΪ̡A�]�L�k�˵�𪬥ؿ�ؿ�޲z��$�C�b�H�U�d�Ҥ��A�ؿ�޲z��i�H�ݨ� Carla Fuente �L�k�ק�o�ۤv���ؤ��� mail �P manager �ݩʡG

ldapsearch -h rousseau.example.com -p 389 \
           -D "cn=Directory Manager" -w password \
           -c "dn:uid=cfuente,ou=People,dc=example,dc=com" \
           -b "dc=example,dc=com" \
           "(uid=cfuente)" aclRights "*"

version: 1
dn:uid=cfuente, ou=People, dc=example,dc=com

aclRights;attributeLevel;mail:search:1,read:1,compare:1,
 write:0,selfwrite_add:0,selfwrite_delete:0,proxy:0
mail:cfuente@example.com

aclRights;attributeLevel;uid:search:1,read:1,compare:1,
 write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
uid:cfuente

aclRights;attributeLevel;givenName:search:1,read:1,compare:1,
 write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
givenName:Carla

aclRights;attributeLevel;sn:search:1,read:1,compare:1,
 write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
sn:Fuente

aclRights;attributeLevel;cn:search:1,read:1,compare:1,
 write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
cn:Carla Fuente

aclRights;attributeLevel;userPassword:search:0,read:0,
 compare:0,write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
userPassword: {SSHA}wnbWHIq2HPiY/5ECwe6MWBGx2KMiZ8JmjF80Ow==

aclRights;attributeLevel;manager:search:1,read:1,compare:1,
 write:0,selfwrite_add:0,selfwrite_delete:0,proxy:0
manager:uid=bjensen,ou=People,dc=example,dc=com

aclRights;attributeLevel;telephoneNumber:search:1,read:1,compare:1,
 write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
telephoneNumber: (234) 555-7898

aclRights;attributeLevel;objectClass:search:1,read:1,compare:1,
 write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
objectClass:top
objectClass:person
objectClass:organizationalPerson
objectClass:inetorgperson

aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0

�F�Ѧ����v�Q���G

�����v�Q�n�D�̫�w���ﶵ�Ǧ^�U�C��T�G

�v�Q��T
Write�BSelfwrite_add �M Selfwrite_delete �v��
�O���T

�v�Q��T

�̤U�C���l�������Ѧ����v����T�G

aclRights;entrylevel	���Ѷ��ؼh���v����T
aclRights;attributelevel	�����ݩʼh���v����T
aclRightsInfo;entrylevel	���Ѷ��ؼh�ŰO���T
aclRightsInfo;attributelevel	�����ݩʼh�ŰO���T

aclRights �r�ꪺ�榡�O�Gpermission:value(permission:value)*

�i�઺���ؼh���v���O add�Bdelete�Bread�Bwrite �M proxy�C�i�઺�ݩʼh���v���O read�Bsearch�Bcompare�Bwrite�Bselfwrite_add�Bselfwrite_delete �M proxy�C

�o���v�����ȥi��O�U�C�䤤�@�ӡG

0 - �w���v
1 - �����v
? - �ұ��v����M��z�[�J�B�R���Ψ�N���ݩʭȡC�p�G�ݨ� ?�A�аѾ\�O���T�H�إ߱»P�Τ��»P�v������]�C
- - ��ܰ��D�����ݩʬO�����ݩʡA�]���L�k��s�C�ק�����ݩʪ��ߤ@��k�N�O�קﲣ�͸��ݩʪ����C

Write�BSelfwrite_add �M Selfwrite_delete �v��

�b Directory Server 5.2 ���u���g�ݩʼh���v�����u?�v�ȡC���[�J�M�R���v���A�z�i�H�[�J�ΧR�������ص�ؤ����ݩʭȦөw�C�b���ؤW�Ǧ^�v�� (0 �� 1)�A�]�����̬O�H ldapsearch �@�~�Ǧ^�A�Ӥ��O�Ǧ^�u?�v�C

�p�G write �v�����ȬO 1�A�h�»P�[�J�M�R���Ҧ��� (���v dn �Ȱ��~) �� ldapmodify �@�~���v���C�g�J�v�����ȬO 0�A��ܥ��»P�[�J�ΧR������ (���v dn �Ȱ��~) �� ldapmodify �@�~���v���C�b�䤤�@�� selfwrite �v�����A��T�a�Ǧ^���v dn �Ȫ������v���A�]�N�O selfwrite_add �� selfwrite_delete�C

��M selfwrite-add �M selfwrite-delete �ݩʼh�Ť��s�b ACI ��Ҥ��A�@�� ACI �i�H�»P�ϥΪ̭ק�ާ@���u�[�J���u �R������ selfwrite �v���C�N selfwrite �v���Ө��A���b�ק襤���ݩʭȬO���v dn�Cwrite �S���P�˪��t���A�]���|���w�q���F�g�J�v���ҭק諸�ݩʭȡC

�����v����M�� targattrfilters ACI �ɡA�u?�v�Ȫ�ܦp�ݦ����v�����ԲӸ�ơA�аѾ\�O���T�C�ھ� write�Bselfwrite_add �M selfwrite_delete �v���������۹����̩ʡA�� 6-3 ����o�T�ӥi���v�����զX�Ҫ�ܪ��N�q�C

�� 6-3 �����v�Q�v�����̩�

�g�J	selfwrite_ add	selfwrite_ delete	�����v�Q����
0	0	0	�L�k�[�J�ΧR�����ݩʪ����ȡC
0	0	1	�u��R�����v dn ���ȡC
0	1	0	�u��[�J���v dn ���ȡC
0	1	1	�u��[�J�ΧR�����v dn ���ȡC
1	0	0	�i�H�[�J�ΧR�����F���v dn ���~���Ҧ��ȡC
1	0	1	�i�H�R���Ҧ��]�t���v dn ���ȡA�ӥB�i�H�[�J�Ҧ��ư����v dn ���ȡC
1	1	0	�i�H�[�J�Ҧ��]�t���v dn ���ȡA�ӥB�i�H�R���Ҧ��ư����v dn ���ȡC
1	1	1	�i�H�[�J�ΧR�����ݩʪ��Ҧ��ȡC
?	0	0	���i�H�R���[�J�ΧR���J���v dn ���ȡA��i��i�H�[�J�ΧR����L�Ȧ���g�J�v�����ԲӸ�ơA�аѾ\�O���T�C
?	0	1	�i�H�R���A���[�J���v dn ���ȡA�ӥB�i��i�H�[�J�ΧR����L�ȡC����g�J�v�����ԲӸ�ơA�аѾ\�O���T�C
?	1	0	�i�H�[�J�A���R�����v dn ���ȡA�ӥB�i��i�H�[�J�ΧR����L�ȡC����g�J�v�����ԲӸ�ơA�аѾ\�O���T�C
?	1	1	�i�H�[�J�M�R�����v dn ���ȡA�ӥB�i��i�H�ק�[�J�έק�R����L�ȡC����g�J�v�����ԲӸ�ơA�аѾ\�O���T�C

�O���T

�����v�Q�O���T�i��z�F�ѩM����s���x��C�O���T�]�t�٬� acl_summary ���s���K�n�n��A��ܤw���\�Ωڵ��s����]�C�s���K�n�n��]�t�U�C��T�G

�O�_���\�Ωڵ��s��
�ұ»P���v��
�v�����ؼж���
�ؼ��ݩʪ��W��
�ҭn�D���v�Q�D��
�O�_�ѥN�z�v�i��n�D�A�p�G�O�h���N�z���� DN�C
���\�Ωڵ��s���] (�ﰻ��γ~�ܭ��n)�C�i���]�C�b�� 6-4 ���G

�� 6-4 �����v�Q�O���T��]�P���� 

�O���T��]	����
no reason available	�S���i�Ω󻡩�󤹳\�Ωڵ��s���]�C
no allow acis	�����\�y���ڵ��s�� ACI �s�b�C
result cached deny	�Ω�P�_�s��ڵ��M�w���֨��T�C
result cached allow	�Ω�P�_�s��\�M�w���֨��T�C
evaluated allow	���H�P�_�s��\�M�w�� ACI�Caci ���W�٥]�t�b�O���T���C
evaluated deny	���H�P�_�s��ڵ��M�w�� ACI�Caci ���W�٥]�t�b�O���T���C
no acis matched the resource	�L ACI �ŦX�y���ڵ��s��귽�ΥؼСC
no acis matched the subject	�L ACI �ŦX�y���ڵ��s��n�D�s���D��C
allow anyone aci matched anon user	�� userdn = "ldap:///anyone" �D�骺 ACI ���\�s��ΦW�ϥΪ̡C
no matching anyone aci for anon user	�䤣�즳 userdn = "ldap:///anyone" �D�骺 ACI�A�]���ڵ��s��ΦW�ϥΪ̡C
root �ϥΪ�	�ϥΪ̬O root DN �B�i�H�s��C

�Ƶ�	�����ѵ����ݩʪ��g�J�v���A�]�S�����ѥ����O�����T�A�]�������ݩʵL�k��s�C

�p�ݺ�T����x�ɮ榡�A�аѾ\�mDirectory Server Administration Reference�n�C

---

�i�����s���G�ϥΥ��� ACI

�b�ϥέ��ƾ𪬥ؿ�c����´���A�ϥΥ����i�H�̨Τƥؿ�ҥΪ� ACI �ƥءC��־𪬥ؿ� ACI �ƥءA�i��z��e��޲z�z���s�����A�çﵽ ACI ���O����ϥήIJv�C

�����O�b ACI ���ΨӥN�� DN �γ��� DN ���w�d��m�C�z�i�H�ϥΥ����b ACI ���ؼг��)γs���W�h���� (�Ψ��) ���N�� DN�C�ƹ�W�A�� Directory Server ����ǤJ�� LDAP �@�~�ɡA�K�|��� ACI �����P LDAP �@�~���ؼи귽�A�H�M�w��3�l�r�� (�Y��)�C�p�G��ﵲ�G�۲šA�N�ϥι�3���l�r��i�}�s���W�h�ݪ������A�õ��i�}���s���W�h�A�ӨM�w�귽���s���v���C

���� ACI �d��

���� ACI ���u�I�Ψ�B�@�覡�i�H�νd�Ұ��̲M��������C�� 6-4 ��ܤ@�Ӿ𪬥ؿ�A�b���𪬥ؿ�Ī��ϥΥ��� ACI ��־��� ACI �ƥءC

�Ъ`�N�Ϥ��ۦP�𪬥ؿ�c (ou=groups,ou=people) ���l���@�A�e�{���ƪ��Ҧ��C���Ҧ��]�b��Ӿ𪬥ؿ�@�A���ơA�]�� example.com �𪬥ؿ��x�s�U�C�=X�Gdc=hostedCompany2,dc=example,dc=com �M dc=hostedCompany3,dc=example,dc=com�C

�M�Φb�𪬥ؿ� ACI �]�����ƪ��Ҧ��C�Ҧp�A�U�C ACI ��� dc=hostedCompany1,dc=example,dc=com �`�I�W�G

aci:(targetattr="*")
 (targetfilter=(objectClass=nsManagedDomain))(version 3.0;
 acl "Domain access"; allow (read,search) groupdn=
 "ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,
 dc=example,dc=com";)

�� ACI �N DomainAdmins �s�ժ�Ū��P�j�M�v�Q�»P dc=hostedCompany1,dc=example,dc=com �𪬥ؿ��󶵥ءC

�� 6-4 ���� ACI ���𪬥ؿ�d��

�U�C ACI ��� dc=hostedCompany1,dc=example,dc=com �`�I�W�G

aci:(targetattr="*")
 (targetfilter=(objectClass=nsManagedDomain))
 (version 3.0; acl "Domain access"; allow (read,search)
 groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,
 dc=example,dc=com";)

�U�C ACI ��� dc=subdomain1,dc=hostedCompany1, dc=example,dc=com �`�I�W�G

aci:(targetattr="*")
 (targetfilter=(objectClass=nsManagedDomain))
 (version 3.0; acl "Domain access"; allow (read,search)
 groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1,
 dc=hostedCompany1,dc=example,dc=com";)

�U�C ACI ��� dc=hostedCompany2,dc=example,dc=com �`�I�W�G

aci:(targetattr="*")
 (targetfilter=(objectClass=nsManagedDomain))
 (version 3.0; acl "Domain access"; allow (read,search)
 groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2,
 dc=example,dc=com";)

�U�C ACI ��� dc=subdomain1,dc=hostedCompany2, dc=example,dc=com �`�I�W�G

aci:(targetattr="*")
 (targetfilter=(objectClass=nsManagedDomain))
 (version 3.0; acl "Domain access"; allow (read,search)
 groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,
 dc=hostedCompany2,dc=example,dc=com";)

�b�H�W��ܪ��|�� ACI ���A�ߤ@���t�O�O groupdn ����r����w�� DN�C�ǥѨϥΥ����N�� DN�A�K�i�H�b dc=example,dc=com �`�I�W�A�ξ𪬥ؿ�ڳ����@�� ACI ��N�o�� ACI�C�� ACI ��ܦp�U�G

aci:(target="ldap:///ou=Groups,($dn),dc=example,dc=com")
 (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
 (version 3.0; acl "Domain access"; allow (read,search) groupdn=
 "ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)

�Ъ`�N�A���B�����޶i��e���ϥιL�� target ����r�C

�b�H�W�d�Ҥ��AACI ���ƥرq�|�Ӵ�֨�@�ӡA���ڪ��u�I��M���Ӿ𪬥ؿ�ƼҦ����h��C

���� ACI �y�k

��²�ƥ��`�����Q�סA�ΨӴ��ѳs�����Ҫ� ACI ����r (�p userdn�Broledn�Bgroupdn �P userattr) �X�_�Ӻ٬� ACI ���D���C�D��M�w ACI ���M�ι�H�C

���� ACI �]�t�U�C�B�⦡�����A�H��N DN �γ��� DN�G

($dn) - �Ω��3�ؼСA�ê����%N���D��C
[$dn] - �Ω�%N�D�骺�𪬤l�ؿ�A�Ϊ��h�� RDN�C
($attr.attributeName) - �Ω�N attributeName �ݩʪ��ȱq�ؼж��ش%N���D��C

�� 6-5 ��� ACI ���i�ϥ� DN ���������!G

�� 6-5 ACI ����r��������

����	ACI ����r
($dn)	target�Btargetfilter�Buserdn�Broledn�Bgroupdn�Buserattr
[$dn]	targetfilter�Buserdn�Broledn�Bgroupdn�Buserattr
($attr.attrName)	userdn�Broledn�Bgroupdn�Buserattr

�A�ΤU�C����G

�b�D�餤�ϥ� ($dn) �P [$dn] �����ɡA�����w�q�]�t ($dn) �������ؼСC
�b�D�餤�A($dn) ���� (���O [$dn]) �i�H�� ($attr.attrName) �������X�C

�ؼФ� ($dn) ����3

ACI �ؼФ��� ($dn) �����Q�Τ�� LDAP �n�D���ؼж��بӨM�w�%N�ȡC�Ҧp�A���@�� LDAP �n�D���ؼЬ� cn=all,ou=groups,dc=subdomain1, dc=hostedCompany1,dc=example,dc=com ���ءA�өw�q�ؼЪ� ACI �p�U�G

(target="ldap:///ou=Groups,($dn),dc=example,dc=com")

($dn) �����|��3�� "dc=subdomain1, dc=hostedCompany1"�C�M��ϥγo�Ӥl�r��%N ACI ���D��C

�%N�D�餤�� ($dn)

�b ACI ���D�餤�A($dn) �����|�Q�ؼФ��۲Ū�����l�r���N�C�Ҧp�G

groupdn="ldap:///cn=DomainAdmins,ou=Groups,($dn),
 dc=example,dc=com"

�ܬ��G

groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1,
 dc=hostedCompany1,dc=example,dc=com"

�@���i�}������ADirectory Server �|�̷ӥ��`�{�ǵ�� ACI�A�P�_�O�_�»P�s���v�C

�Ƶ�	�ϥΥ����%N�� ACI �P�з� ACI ���P�A�e�̤��@�w�|���ؼж��ت��l���»P�s���v���C�o�O�]���A��l���� DN �O�ؼЮɡA�%N�����G�i�ण�|�b�D��r�ꤤ�إߦ��Ī� DN�C

�%N�D�餤�� [$dn]

[$dn] ���%N���P ($dn) �y�����P�C�ؼи귽�� DN �|����Ʀ��A�C���|���̥��䪺 RDN ����A������۲Ŷ�����C

�Ҧp�A���@�� LDAP �n�D���ؼЬO cn=all,ou=groups, dc=subdomain1,dc=hostedCompany1,dc=example,dc=com �𪬤l�ؿ�A�٦��U�C ACI�G

aci:(targetattr="*")
 (target="ldap:///ou=Groups,($dn),dc=example,dc=com")
 (version 3.0; acl "Domain access"; allow (read,search)
 groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],
 dc=example,dc=com";)

��A���̤U�C�覡�B�z�A�H�i�}�� ACI�G

�ؼФ��� ($dn) �ŦX dc=subdomain1,dc=hostedCompany1�C
�N�D�餤�� [$dn] �H dc=subdomain1,dc=hostedCompany1 ��N�C

���ͪ��D��O groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,dc=hostedCompany1,dc=example,dc=com"�C�p�G�]���s�� DN �O�Ӹs�ժ��������o�v���A�����i�}�N�|����A�i���� ACI�C�p�G���O����A�B�z�N�|�~��C

�N�D�餤�� [$dn] �H dc=hostedCompany1 ��N�C

���ͪ��D��O groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=hostedCompany1,dc=example,dc=com"�C�P�˦a�A��ճs�� DN �O�_�����s�ժ�����A�p�G�O�A�N������ ACI�C�p�G���O����A�����i�}�b�̫�@�Ӭ۲ŭȪ� RDN �B����A�åB�� ACI �� ACI ���ܦ������C

[$dn] �������u�I�b�󥦥H�u�ʪ��覡���v���h�Ū��t�κ޲z��i�s��𪬥ؿ������l���C�]���A�b��ܺ�줧�������h��Y�ɬ۷?�ΡC

�Ҧp�A�ЦҼ{�U�C ACI�G

aci:(target="ldap:///ou=*,($dn),dc=example,dc=com")
 (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
 (version 3.0; acl "Domain access"; allow (read,search) groupdn=
 "ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";}

���»P cn=DomainAdmins,ou=Groups, dc=hostedCompany1,dc=example,dc=com ������� dc=hostedCompany1 �U���Ҧ��l��쪺�s���v���A�ϱo�ݩ�Ӹs�ժ��t�κ޲z����s�� ou=people,dc=subdomain1.1,dc=subdomain1 �𪬤l�ؿ�C

��P�ɡAcn=DomainAdmins,ou=Groups, dc=subdomain1.1 ������|�D��ڵ��s�� ou=people,dc=subdomain1, dc=hostedCompany1 �M ou=people,dc=hostedCompany1 �`�I�C

($attr.attrName) ��������3

($attr.attrname) �����`�O�Φb DN ���D�鳡�!C�Ҧp�A�i�H�w�q�U�C roledn�G

roledn = "ldap:///cn=DomainAdmins,($attr.ou),dc=HostedCompany1,
 dc=example,dc=com"

���]�{�b��A������H�U�C���ج��ؼЪ� LDAP �@�~�G

dn: cn=Babs Jensen,ou=People,dc=HostedCompany1,dc=example,dc=com
cn:Babs Jensen
sn:Jensen
ou:Sales
...

���F��� ACI �� roledn ���!A��A��Ū���x�s�b�ؼж��ؤ��� ou �ݩʭȡA�ñN�b�D�餤�����ȴ%N�H�i�}�����C�b�d�Ҥ��Aroledn �i�}�p�U�G

roledn = "ldap:///cn=DomainAdmins,ou=Sales,dc=HostedCompany1,
 dc=example,dc=com"

���U�ӡADirectory Server �|�ھڥ��`�� ACI ���t��k��� ACI�C

�?������w���ݩʬO�h�����ݩʮɡA�h�|�̧ǨϥΨC�ӭȨӮi�}�����A�èϥβĤ@�ӹ�3���\���ȡC

---

�s���P�ƻs

ACI �x�s�����ت��ݩʡA�]���A�p�G�]�t ACI �����جO�ƻs�=X���@���!A�h ACI �|�P��L����ݩʤ@�˳Q�ƻs�C

ACI �`�O�b�A�ȶǤJ LDAP �n�D���ؿ��A���W���C�o��ܷ��Ϊ̦�A�������s�n�D�ɡA���|�Ǧ^�D���A�����ѷӡA�M��A����_�b�D��W�A�ȸӭn�D�C

---

�s���M�챵

�p�G�ϥ��챵�N�𪬥ؿ�4��b�X����A���W�A�h�s���z�����ҨϥΪ�����r�|���@�ǭ���G�p�ݸԲӸ�T�A�аѾ\�uACI ����v�C

�����ҨϥΪ̦s���챵�=X�ɡA��A���|�ǰe�ϥΪ̪�������ݦ�A���C�s����`�O�b���ݦ�A���W���C�b���ݦ�A���W���C�@�� LDAP �@�~���ϥΥΤ��3�ε{����l����A������O�z�L�N�z���ұ���Ҷǰe�C�u����ϥΪ̹ﻷ�ݦ�A���W�]�t���𪬤l�ؿ�֦����T���s���ɡA�b���ݦ�A���W���@�~�~�|���\�C�o��ܡA�z�����N�@�몺�s���[�J�컷�ݦ�A���W�A�å[�W�@�ǭ���G�p�ݸԲӸ�T�A�аѾ\�u�z�L�챵�=X���s���v�C

---

�O��s����T

�Y�n��o��~��x�ɤ�����s����T�A�����]�w�A�?�O��h�šC

�Y�n�q�D���x�]�w��~��x�ɼh�šG

�b Directory Server Console �̤W�h�� [�ؿ�] ���ҤW�A�H�ƹ��k���@�U cn=config �`�I�A�æb����\��?��� [�H�зǽs�边�s��]�C

�o�|�b [�зǽs�边] �W��ܥX cn=config ���ت����e�C

�N�ݩʭȰt��M��V�U���ʡA�H��� nsslapd-errorlog-level �ݩʡC
�N nsslapd-errorlog-level ��줤�w��ܪ��ȦA�[�W 128�C

�Ҧp�A�p�G�w��ܪ��Ȭ� 8192 (�ƻs����)�A�z3�ӱN���ܧ� 8320�C�p������~��x�ɼh�Ū������T�A�аѾ\�mDirectory Server Administration Reference�n�C

��@�U [�T�w] �x�s�ܧ�A�ðh�X�зǽs�边�C

---

�P�ª����ۮe��

�����ª� Directory Server �ҥΪ� ACI ����r�b Directory Server 5.2 ���w���A�ϥΡC��F��P�ª��ۮe�ʡA�ҥH���M�䴩�o������r�C�o������r�O�G

userdnattr
groupdnattr

�]���A�p�G�z���b�¨�3�Ӧ�A���P��Ϊ� Directory Server 5.2 �����w�]�w�ƻs��ij�A3�Ӥ��|�b ACI ���ƻs���J������D�C

���ij�z�̦n�� userattr ����r���\���N�o������r�A�p�u�ھڬ۲ŭȩw�q�s��v���ҭz�C

�W�@��      �ؿ�      �d�      �U�@��

---

Copyright 2004 Sun Microsystems, Inc. All rights reserved.