Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Directory Access Control, 5 of 5
As described in "Overview of Access Control Policy Administration", directory access control policy information is represented as user-modifiable operational attributes. Hence, you can manage directory access control by using ldapmodify to set and alter values of these attributes. Any tool, including ldapmodify and ldapmodifymt, can be used for this purpose.
To directly edit the ACI, you should understand the format and semantics of the directory representation of the ACI as described in Appendix E, "The Access Control Directive Format".
See Also:
|
You can specify ACIs to restrict the kind of entries a user can add. For example, you can specify an ACI in the DSE root entry that allows users to add only entries with objectclass=country
. To do this, you use the added_object_constraint
filter. The directory server then verifies that any new entry complies with the constraints in this filter.
The following example specifies that:
cn=admin,c=us
can browse, add, and delete under organization
entries.
cn=admin,c=us
can add organizationalUnit
objects under organization
entries
organization
entries
access to entry filter=(objectclass=organization) by group="cn=admin,c=us"
constraintonaddedobject=(objectclass=organisationalunit)
(browse,add,delete) by * (browse)
This example sets up subtree access permissions in an orclACI
at the root DSE by using an LDIF file named my_ldif_file
. Because this example refers to the orclACI
attribute, this access directive governs all the entries in the DIT.
ldapmodify -v -h $1 -D "cn=Directory Manager, o=IMC, c=US" -w "controller" -f my_ldif_file
The LDIF file, my_ldif_file
, contains the following:
dn: changetype: modify replace: orclaci orclaci: access to entryby dn="cn=directory manager, o=IMC, c=us" (browse, add, delete) by * (browse, noadd, nodelete)orclaci: access to attr=(*)by dn="cn=directory manager, o=IMC, c=us" (search, read, write, compare) by self (search, read, write, compare) by * (search, read, nowrite, nocompare)
This example sets up entry-level access permissions in the orclEntryLevelACI
attribute by using an LDIF file named my_ldif_file
. Because this example refers to the orclentrylevelACI
attribute, this access directive governs only the entry in which it resides.
ldapmodify -v -h myhost -D "cn=Directory Manager, o=IMC, c=US" -w "controller"
-f my_ldif_file
The LDIF file, my_ldif_file
, contains the following:
dn: changetype: modify replace: orclentrylevelaci orclentrylevelaci: access to entryby dn="cn=directory manager, o=IMC, c=us" (browse, add, delete) by * (browse, noadd, nodelete)orclentrylevelaci: access to attr=(*)by dn="cn=directory manager, o=IMC, c=us" (search, read, write, compare) by * (search, read, nowrite, nocompare)
This example shows the use of wild cards (*) in the object and subject specifiers. For all entries within the acme.com
domain, it grants to everyone browse permission on all entries, as well as read and search permissions on all attributes.
orclACI
attribute in the ACP at dc=com
access to entry by * (browse)
access to attr=(*) by * (search, read)
Note that, in order to allow reading the attributes, browse permissions must be granted on the entries in order for read permissions to be granted to the attributes of those entries.
This example shows the use of a regular expression to select the entries by DN in two access directives. It grants to everyone read-only access to the address book attributes under dc=acme,dc=com
access.
orclACI
attribute of dc=acme, dc=com
:
access to entry by * (browse) access to attr=(cn, telephone, email) by * (search, read)
orclACI
attribute of dc=us, dc=acme, dc=com
:
access to entry by * (browse) access to attr=(*) by dn=".*,dc=us,dc=acme,dc=com" (search, read)
This example shows the use of an attribute selector to grant access to a specific attribute, and various subject selectors. The example applies to entries in the dc=us,dc=acme,dc=com
subtree. The policy enforced by this ACI can be described as follows:
dc=us
subtree can browse, but those outside it have no access to the subtree.
userPassword
attribute can be viewed and modified by oneself and the administrator. Others can only compare this attribute.
homePhone
attribute can be read and written by oneself and viewed by anyone else.
"orclACI" attribute of "dc=us, dc=acme, dc=com":
access to entry by dn="cn=admin, dc=us,dc=acme,dc=com" (browse, add, delete) by dn=".*, dc=us,dc=acme,dc=com" (browse) by * (none)
access to attr=(salary) by dnattr=(manager) (read, write) by self (read) by * (none)
access to attr=(userPassword) by self (search, read, write) by dn="cn=admin, dc=us,dc=acme,dc=com" (search, read, write) by * (compare)
access to attr=(homePhone) by self (search, read, write) by * (read)
access to attr != (salary, userPassword, homePhone) by dn="cn=admin, dc=us,dc=acme,dc=com" (compare, search, read, write) by * (compare, search, read)
This example gives to everyone read-only access to address book attributes under dc=acme,dc=com
. It also extends to everyone read access to all attributes within the dc=us,dc=acme,dc=com
subtree only.
orclACI
attribute of dc=acme, dc=com
:
access to entry by * (browse) access to attr=(cn, telephone, email) by * (search, read)
orclACI
attribute of dc=us, dc=acme, dc=com
:
access to entry by * (browse) access to attr=(*) by dn=".*,dc=us,dc=acme,dc=com" (search, read)
This example allows people within the US domain to add or remove only their own name (DN) to or from the member attribute of a particular group entry, for example, a mailing list.
orclEntryLevelACI
attribute of the group entry in question:
access to attr=(member) by dn=".*, dc=us,dc=acme,dc=com" (selfwrite)
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|