Exit Print View

Sun OpenDS Standard Edition 2.0 Architectural Reference

Get PDF Book Print View

Document Information

The Directory Server Access Control Model

Access Control Principles

Access Control Overview

ACI Structure

Directory Server Global ACIs

ACI Evaluation

ACI Limitations

Access Control and Replication

See Also

ACI Syntax

ACI Syntax Overview

Defining Targets

Targeting a Directory Entry

To Target Attributes

To Target an Entry and Attributes

To Target Entries or Attributes Using LDAP Filters

To Target Attribute Values Using LDAP Filters

To Target a Single Directory Entry

To Specify the Scope of an ACI

To Target LDAP Controls

To Target LDAP Extended Operations

Defining Permissions

To Allow or Deny Access

To Assign Rights

Rights Required for LDAP Operations

Permissions Syntax

Bind Rules

Bind Rules Overview

Using Boolean Bind Rules

See Also

Bind Rule Syntax

Bind Rule Syntax Overview

Defining User Access (userdn Keyword)

Defining General Access (all Keyword)

Defining Anonymous Access (anyone Keyword)

Defining Self Access (self Keyword)

Defining Parent Access (parent Keyword)

Specifying Users With LDAP URLs

Specifying Users With Wildcards

Specifying Users With a Logical OR of LDAP URLs

Excluding Specific LDAP URLs

Defining Group Access (groupdn Keyword)

Specifying a Group With a Single LDAP URL

Specifying a Group With a Logical OR of LDAP URLs

Defining Access Based on Value Matching (userattr Keyword)

Bind-Type Format

Attribute-Value Format

USERDN Bind Type Example

GROUPDN Bind Type Example

LDAPURL Bind Type Example

Attribute Value Example


Inheritance Example

Add Permissions

Defining Access From a Specific IP Address (ip Keyword)

Defining Access From a Specific Domain (dns Keyword)

Defining Access at a Specific Time of Day or Day of Week (timeofday and dayofweek Keywords)

Defining Access Based on Authentication Method (authmethod Keyword)

Authentication Method Examples

Defining Access Based on a Connection's Security Strength Factor (ssf Keyword)

DIGEST-MD5 QOP Key Size Mapping

TLS Cipher Key Size Mapping


Compatibility With the Sun Java System Directory Server Access Control Model

Global ACI

All Attributes targetattr Rule (targetattr="*")

Distinguished Name (DN) Wildcard Matching

Privilege Subsystem Impact

The targetscope Keyword

LDAP Modify Increment

Macro Support

The roledn Keyword

Understanding the Directory Server Schema

Index Databases

Understanding Directory Server Plug-Ins

Directory Server Replication

Root Users and the Privilege Subsystem

Supported Controls and Operations

Targeting a Directory Entry

Use the target keyword and a DN inside an LDAP URL to target a specific directory entry and any entries below it. The targeted DN must be located in the entry where the ACI is defined or in the subtree below the entry. The target expression has the following syntax:

(target = "ldap:///distinguishedName")
(target != "ldap:///distinguishedName")

The distinguished name must be located in the entry where the ACI is defined or in the subtree below the entry. For example, the following target can be used in an ACI on ou=People,dc=example,dc=com:

(target = "ldap:///uid=bjensen,ou=People,dc=example,dc=com")

The keyword target is optional. If it is not present, the default target for the ACI is the entry where the ACI is stored.

Note - The DN of the entry must be a distinguished name in string representation (defined in RFC 2253). Therefore, characters syntactically significant for a DN, such as commas, must be escaped with a single backslash (\). For example:

(target="ldap:///uid=cfuentes,o=Example Bolivia\, S.A.")

You can also use a wildcard in the DN to target any number of entries that match the LDAP URL. The following are legal examples of wildcard usage:

Multiple wildcards are allowed, such as in uid=*,ou=*,dc=example,dc=com, which matches every entry in the example.com tree whose distinguished name contains the uid and ou attributes in the specified positions.