Sun Java(TM) System Directory Server 5 2004Q2 �z��n |
�� 6 ��
�z�s�������s��z���ؿ�e�O�إߦw���ؿ�i�ίʪ��@����C��������s����O (ACI)�A���i�M�w�»P�s��ؿ�ϥΪ̭��@���v���CDirectory Server �]�t�s���\��A�i�˵��w�ϥΪ̹��w���ؾ֦��������v�Q�C���\��i�N�z����B�\��j�j���s�����@�~²�ơC
�b�ؿ�p���p�e���q�ɡA3�өw�q�ŦX����w���F�����s�����C�p�����W���s���������ܡA�аѾ\�mDirectory Server Deployment Planning Guide�nChapter 7 "Designing Access Control"�C
�����]�t�U�C�D�D�G
�s�����w�q�s���v�����٬��s����C���A������n�D�ɡA���|�ϥΨϥΪ̦b�s���@�~���Ҵ��Ѫ����Ҹ�T�A�H�Φ�A�����w�q���s����O (ACI)�A�Ӥ��\�Ωڵ��s��ؿ��T�C��A���i���\�Ωڵ��v���A�ҦpŪ��B�g�J�B�j�M�Τ��C�»P�ϥΪ̪��v���h�ťi��]�Ҵ��Ѫ����Ҹ�T���P�Ӧ��Үt���C
�ϥΦs���A�z�K�i�H����s���ӥؿ�B�ؿ�𪬤l�ؿ�B�ؿ�S�w���� (�]�A�w�q�պA�u�@������)�B�S�w�������ݩʲթίS�w�������ݩʭȡC�i�H�]�w�S�w�ϥΪ̪��v���B�ݩ�S�w�s�թΨ��⪺�Ҧ��ϥΪ��v���B�Υؿ�Ҧ��ϥΪ̪��v���C�̫�A�i�H�w�q�H IP ��}�� DNS �W���ѧO���S�w�Τ�ݪ��s���v�C
ACI ���c
����s���O�H�����ݩʪ��覡�x�s�b�ؿ�Caci �ݩʬO�ާ@�ݩʡF���i�ѥؿ�C�Ӷ��بϥΡA�����ت��������O�O�_�w�w�q���ݩʡC�ؿ��A���b����ӦۥΤ�ݪ� LDAP �n�D�ɡADirectory Server �|�ϥΦ��ݩʨӵ��n�»P�Ωڵ����v�Q�C�p�G���S�O���n�D�Aldapsearch �@�~���|�Ǧ^ aci �ݩʡC
ACI ���z���,��T�ӥD�n���!G
ACI ���v���P�s���W�h���*��]�w�O�ĥΰt��覡�A�o�ǰt��]�٬��s���W�h (ACR)�C�t�η|�ھڦ��H��w�v�����W�h�O�_�Q�����T�A�ӨM�w�»P�Ωڵ��s��ؼЪ���w�v���C�p�ݸԲӸ�T�A�аѾ\�uACI �y�k�v�C
ACI ��m
�p�G�]�t ACI �����ؤ��S�����l���ءA�h ACI �ȮM�Φb�Ӷ��ءF�p�G���ؤ����l���ءA�h ACI �|�M�Φb���إ����Ψ�U�Ҧ������ءC�]���A���A��������w���ت��s���v���ɡA���|�T�{�n�D�����ػP��ڧ=X����¦�����C�Ӷ��ت� ACI�C
aci �ݩʬO�h�����ݩʡA�o��ܱz�i�H���P�@�Ӷ��ةξ𪬤l�ؿ�w�q�h�� ACI�C
�z�b���ؤW�إߪ� ACI ���|�����M�Φb�Ӷ��ؤW�A�ӬO�M�θӶ��ؤ��U���𪬤l�ؿ����Υ������ءC�o�˰����u�I�b��A�z�i�H�b�𪬥ؿ�h�q�w�@��ʪ� ACI�A�� ACI �i�H���Ħa�M�Ω��b�𪬥ؿ�U�h�����ءC�Ҧp�A�i�H�b organizationalUnit ���ة� locality ���ت��h�ūإ� ACI�A�� ACI ���ؼЬO�]�t inetorgperson �������O�����ءC
�i�H�Q�Φ��\��b���h���$��I�W�q�w�@��ʳW�h�A�ϥؿ� ACI �ƥش��̧C�C�Y�n�����S��W�h���d��A�z3�Ӿ��i��a�N�W�h��b����س̪�m�C
ACI ���
���F���S�w���ت��s���v�Q�A��A���|�sĶ�@�� ACI �M��A�o�� ACI �s�b�إ����W�A�H�Φs�b��i�V���خڧ=X����¦�^������ؤW�C���v��A��A���|�̦����dzB�z ACI�FACI �����|�b���ؤΨ�ڧ=X��¦�����Ҧ��=X�M�l�=X���i��A�Ӥ��b��L��A�����챵�=X�����i��C
�Ƶ�
�ؿ�z��O�ߤ@�S���M�Φs���A��㦳�v�����ϥΪ̡C��Τ�ݥH�ؿ�z���P�ؿ�s����A��A���b���@�~���e���|����� ACI�C
�]���A�H�ؿ�z���� LDAP �@�~���į�O�L�k�P��L�ϥΪ̪��w�nį�۴��ýת��C�z3�ӭn�H�@��ϥΪ̨����եؿ�į�C
�̹w�]�ȡA���حY�S�� ACI �i�M�ΡA�h���F�ؿ�z��~�A�N�ڵ��Ҧ��ϥΪ̦s��C������ ACI ��T�»P�s���v���A�ϥΪ̤~��s���A��������ءC�w�] ACI �w�q�ΦWŪ��s��A�ä��\�ϥΪ̭ק�L�̦ۤv�����ءA����@�w���ʩһݪ��ݩʰ��~�C�p�ݸԲӸ�T�A�аѾ\�u�w�] ACI�v�C
��M��A���u����̱���ؼж��ت� ACI�A��M�Φܶ��ت��Ҧ� ACI ���v�T�O�ֿn���C���D�����@�� ACI �ڵ��� ACI �»P���s���v���A�_�h�t�η|���\�Ӧs���v���C�ڵ��s�� ACI (���ץX�{�b�M���B)�A���u��ǧ����\�s��P�@�귽�� ACI�C
�Ҧp�A�p�G�z�ڵ��b�ؿ�ڼh�Ť����g�J�v���A�h�L�ױz�O�_�»P���S�w���v���A���ϥΪ̳��L�k�g�J�ؿ�C�Y�n�N�ؿ�g�J�v���»P�S�w�ϥΪ̡A��������g�J�v������l�ڵ��d��A�ϥ����]�t�ӨϥΪ̡C
ACI ����
���ؿ�A�ȫإߦs�����ɡA�z�������D�U�C����G
��O�A�i�H�N�x�s�b�ؿ�ؤ����ȻP�x�s�b�s���ϥΪ̶��ؤ����ȶi��ƭȹ�3 (�Ҧp�A�ϥ� userattr ����r)�C�Y�ϳs���ϥΪ̦b�x�s ACI ����A���W�S����ءA�s���٬O�|�H���`�覡���C
�p�����p���챵�s�����ԲӸ�T�A�аѾ\�u�z�L�챵�=X���s���v�C
- �� CoS �Ҳ��ͪ��ݩʤ���Ω�Ҧ� ACI ����r���C�ר䤣3�ӱN CoS �Ҳ��ͪ��ݩʥΩ� userattr �M userdnattr ����r�A�]���o�˦s���W�h�N�L�@�ΡC�p�ݸԲӸ�T�A�аѾ\�u�ϥ� userattr ����r�v�C�p����� CoS ���ԲӸ�T�A�аѾ\�� 5 ���u�z����M����v�C
- �s���W�h�`�O�b�����A���W���C�z���i�H�b ACI ����r�ҥΪ� LDAP URL ����w��A�����D��W�٩γs���X�C�Y�ϱz��w�F�A�]�@�ˤ��|�N LDAP URL �C�J�Ҷq�C�p�ݸԲӸ�T�A�аѾ\�mDirectory Server Administration Reference�n���� Chapter 6 "LDAP URL Reference"�C
- �»P�N�z�v�Q�ɡA�z����H�ؿ�z���N�N�z�v�Q�»P�ϥΪ̡A�]����N�N�z�v�Q�»P�ؿ�z��C
�w�] ACI��w�� Directory Server �ɡA�t�η|�b�z�b�պA�v��ҫ�w���ڧ=X�W�w�q�U�C�w�] ACI�G
- �Ҧ��ϥΪ֦̾��ΦW�s��ؿ��v���A�i���j�M�B���PŪ��@�~ (���F userpassword �ݩʤ��~)�C
- �s���ϥΪ̥i�H�ק�ؿ�L�̦ۤv�����ءA��L�k���H�R���C�L�̵L�k�ק� aci�Bnsroledn �M passwordPolicySubentry �ݩʡA�]�L�k�ק���귽�����ݩʡB�K�X�������A�ݩʩαb����w���A�ݩʡC
- �պA�z�� (�w�]�� uid=admin,ou=Administrators, ou=TopologyManagement,o=NetscapeRoot) �֦��N�z�v�Q�H�~���Ҧ��v�Q�C
- �պA�z��s�ժ��Ҧ�����֦��N�z�v�Q�H�~���Ҧ��v�Q�C
- �ؿ�z��s�ժ��Ҧ�����֦��N�z�v�Q�H�~���Ҧ��v�Q�C
- SIE �s�ժ��Ҧ�����֦��N�z�v�Q�H�~���Ҧ��v�Q�CSIE �s�եN�� Administration Server �����ؿ��A���s�ժ��z��C
��b�ؿ�إ߷s���ڧ=X�ɡA������¦���ؾ֦��W�z�w�] ACI�A��ۧڭק� ACI ���~�C���[�j�w���ʡA3�Ө��u�ϥΥD���x�إ߷s���ڧ=X�v���ҭz�[�J�� ACI�C
Administration Server �� NetscapeRoot �𪬤l�ؿ�ۤv���@�չw�] ACI�G
�U�C�U�`����p��ק�o�ǹw�]�ȡA�H�ŦX��´���ݭn�C
ACI �y�kACI �O�㦳�\�h�إi���ܤƪ�����c�C�L�רϥΥD���x�αq��O��إߩM�ק� ACI�A�z��3�ӤF�� LDIF �榡�� ACI �y�k�C�U�C�U�`�N�Բӻ��� ACI ���y�k�C
����
�]�� ACI �y�k�ӽ���ADirectory Server Console �ä��䴩�H��ı�覡�s��Ҧ� ACI�C�ӥB�A���j�q�ؿ�س]�w�s���ɡA�ϥΫ�O��O���ֳt���覡�C�]���A�Y�n�إߨ㦳���Ħs���w���ؿ�A�F�� ACI �y�k�O�ܭ��n���C
aci �ݩʪ��y�k�p�U�G
aci:(target)(version 3.0;acl "name";permission bindRules;)
�䤤�G
- target ��w�n�����s���v�������ءB�ݩʩζ��ػP�ݩʲաC�ؼХi����O�W�١B�@�өΦh���ݩʡA�γ�@ LDAP �z�ᄍ�F�ؼЬO��Ϊ��C�p�G����w�ؼСAACI �|�M�Φb�w�q ACI �B����Ӷ��ؤΨ�Ҧ��l���W�C
- version 3.0 �O�ѧO ACI ���������n�r��C
- name �O ACI ���W�١C�W�٥i���ѧO ACI �����r��CACI �W�٬O���n���A3�ӯ��y�z ACI ���ĪG�C
- permission �S�O�a���z�F�n���\�Ωڵ����v�Q�A�ҦpŪ��ηj�M�v�Q�C
- bindRules ��w�ϥΪ̬���o�s���v�ҥ������Ѫ����һP�s���ѼơC�s���W�h�]�i�H�H�ϥΪ̩θs�զ�����Y����¦�A�άO�H�Τ�ݪ��s�u�ݩʬ���¦�C
�i�H�֦��h�ӥؼЩM�v��-�s���W�h�t��C�o�i��z�N�@���ؼЪ����ةM�ݩ��u�ơA�æ��Ħa����w�ؼг]�w�h���s���C�Ҧp�G
aci:(target)...(target)(version 3.0;acl "name"; permission bindRule;
permission bindRule; ...; permission bindRule;)�U�C������ LDIF ACI ���d�ҡG
aci:(target="ldap:///uid=bjensen,dc=example,dc=com"
(targetattr="*")(version 3.0; acl "example"; allow (write)
userdn="ldap:///self";)�b���d�Ҥ��AACI ���ϥΪ� bjensen ���v�ק�o�ۤv�ؿ�ؤ����Ҧ��ݩʡC
�U�C�U�`�Բӻ��� ACI ���C�@���*��y�k�C
�w�q�ؼ�
�ؼз|�ѧO��̷|�M�� ACI�C��Τ�ݭn�D�ﶵ�ؤ����ݩʰ��@�~�ɡA��A���|���ؼСA�F�ѬO�_������� ACI �H���\�Ωڵ��@�~�C�p�G����w�ؼСA�h ACI �|�M�Ψ�]�t aci �ݩʪ����ؤ����Ҧ��ݩʡA�Ψ�U�Ҧ����ءC
�ؼЪ��@��y�k���U�C�䤤�@���G
(keyword = "expression")
(keyword != "expression")
�䤤�G
- keyword ��ܥؼЪ������C�� 6-1 ��������r�w�q�U�C�ؼ������G
- ���� (=) ��ܥؼЬO expression ����w������A�Ӥ����� (!=) ��ܥؼЬO expression ������w�����C
- expression �|�]����r�Ӧ����P�A���ѧO�ؼСC��M�ثe��@�W���� targetattr=* ���B�⦡�Aexpression �b�y�k�W�٬O�ݭn�� ("")�C�b�N�Ӫ������y�k�ˬd�i���ܱo���Y��A�ҥH3�ӨC�����ϥΤ��C
�U��C�X�C������r�ά���B�⦡�G
�� 6-1 LDIF �ؼ�����r
����r
���Ī��B�⦡
���\�U�Φr���ܡH
target
ldap:///distinguished_name
�O
targetattr
attribute
�O
targetfilter
LDAP_filter
�O
targattrfilters
LDAP_operation:LDAP_filter
�O
�N�ؿ�س]���ؼ�
�ϥ� target ����r�M LDAP URL ���� DN �i�N�S�w�ؿ�ؤΨ�U��س]���ؼСC�ؼЪ� DN ������b ACI �w�q��m�����ؤU���𪬤l�ؿ�C�ؼйB�⦡���y�k�p�U�G
(target = "ldap:///distinguished_name")
(target != "ldap:///distinguished_name")��O�W�٥�����b�H ACI �w�q��m�����ج��ڳ����𪬤l�ؿ�C�Ҧp�A�H�U�ؼХi�Ω� ou=People,dc=example,dc=com �W�� ACI ���G
(target = "ldap:///uid=bjensen,ou=People,dc=example,dc=com")
�Ƶ�
���ت� DN �����O�H�r���� (RFC 2253) ����O�W�١C�]���r���b��k�W�� dn �ܭ��n�A�Ҧp�r�������H�ϱu (\) �������C�Ҧp�G
(target="ldap:///uid=cfuentes,o=Example Bolivia\, S.A.")
�]�i�H�b DN ���ϥθU�Φr���A�N���ŦX LDAP URL �����س]���ؼСA���ؼƶq�����C�U�C�O�U�Φr�����T�Ϊk���d�ҡG
���\�ϥΦh�ӸU�Φr���A�Ҧp uid=*,ou=*,dc=example,dc=com�C���d�Ҥ�� example.com �𪬥ؿ���O�W�٥]�t uid �P ou �ݩʪ��C�Ӷ��ءC
�Ƶ�
��O�W�٪��=X���$���ϥθU�Φr���C�]�N�O�A�p�G�z���ؿ�ϥΧ=X c=US �P c=GB�A�h�����ϥΤU�C�ؼШӰѦҳo��ӧ=X�G
(target="ldap:///dc=example,c=*").
�]����ϥι� uid=bjensen,o=*.com �o�˪��ؼСC
�ؼ��ݩ�
���F�H�ؿ�ج��ؼФ��~�A�]�i�H�N�ؼж��ت��@�Φh���ݩʡA�άO�@�Φh���ݩʰ��~���Ҧ��ݩʳ]���ؼСC�o���ڵ��Τ��\�s��ت����8�T�D�`���ΡC�Ҧp�A�z�i�H���\�u�s���w���ت��@��W�١B�m��P�q�ܸ��X�ݩʡF�Ϊ̡A�z�i�H�ڵ��s��ӷP����T�A�Ҧp�ӤH��ơC
�p�G�S�� targetattr �W�h�A�̹w�]�ȵL�k�s�����ݩʡC�Y�n�s��Ҧ��ݩʡA�W�h�����O targetattr="*"�C
�ؼ��ݩʤ����s�b�ؼж��ةΨ�𪬤l�ؿ�A��u�n�o���ݩʦs�b�A�N�|�M�� ACI�C�z�]���ؼЪ��ݩʤ����b���c���w�q�C�o�دʥF���c�ˬd���覡��z�b�פJ��ƤΨ䵲�c�e�K�i���s�����C
�Y�n�N�ݩʳ]���ؼСA�Х� targetattr ����r�ô����ݩʦW�١Ctargetattr ����r�ϥΤU�C�y�k�G
(targetattr = "attribute")
(targetattr != "attribute")�i�H�ϥΤU�C�y�k�Q�� targetattr ����r�A�N�h���ݩʳ]���ؼСG
(targetattr = "attribute1 || attribute2 ...|| attributen")
(targetattr != "attribute1 || attribute2 ...|| attributen")�Ҧp�A�n�N���ت��@��W�١B�m��� uid �ݩʳ]���ؼСA�ШϥΡG
(targetattr = "cn || sn || uid")
�ؼ��ݩʥ]�t�R�W�ݩʪ��Ҧ��l�����C�Ҧp�A(targetattr = "locality") �]�|�H locality;lang-fr ���ؼСC�]�i�H�S�O�N�l�����]���ؼСA�Ҧp (targetattr = "locality;lang-fr-ca")�C
�z�i�H�b targetattr �W�h���ϥθU�Φr���A��ä����y�ϥΡA�]���S���S�O���γ~�A�ӥB�i���į�t�����v�T�C
�N���ػP�ݩʨ�̳]���ؼ�
�̹w�]�ȡA�]�t targetattr ����r�� ACI ���ؼж��جO ACI �Ҧb��m�����ءC�]�N�O�A�p�G�N ACI
aci:(targetattr = "uid")(accessControlRules;)
��b ou=Marketing, dc=example,dc=com ���ؤW�A�h ACI �|�M�Φb��� Marketing �𪬤l�ؿ�C��z�]�i�H�� target ����r��T��w�ؼСA�Ϊk�p�U�G
aci:(target="ldap:///uid=*,ou=Marketing,dc=example,dc=com")
(targetattr="uid") (accessControlRules;)target �P targetattr ����r����w���Ǥ�����C
�ϥ� LDAP �z�ᄍ�N���ة��ݩʳ]���ؼ�
�i�H�ϥ� LDAP �z�ᄍ�N�ŦX�Y�DZ���زճ]���ؼСC�Y�n�p���]�w�A�Цb targetfilter ����r���ϥ� LDAP �z�ᄍ�C�� ACI �N�M�Φb���t ACI �����ؤU�𪬤l�ؿ�ŦX�z�ᄍ���Ҧ����ءC
targetfilter ����r���y�k���G
(targetfilter = "LDAPfilter")
�䤤 LDAPfilter �O�зǪ� LDAP �j�M�z�ᄍ�C�p�����z�ᄍ�y�k���ԲӸ�T�A�аѾ\�uLDAP �j�M�z�ᄍ�v�C
�Ҧp�A���]�N���u���Ҧ����س��� salaried �� contractor ���A�A�٦��@�ӥN��u�@�ɼƪ��ݩʡA���ݩʥH��¾�u�@���ʤ$�Φ���ܡC�Y�n�N�N�� contractor �έ�¾��u���Ҧ����س]���ؼСA�z�i�H�ϥΤU�C�z�ᄍ�G
(targetfilter = "(|(status=contractor)(fulltime<=79))")
�Ƶ�
ACI �����䴩�y�z��ڤƭȹ�3�W�h���z�ᄍ�y�k�C�Ҧp�A�U�C�ؼпz�ᄍ�L�ġG
(targetfilter = "(locality:fr:=<= Quebec)")
�ؼпz�ᄍ�N���鶵�ؿאּ ACI ���ؼСC�i�H�N targetfilter �P targetattr ����r�������p�A��إߪ� ACI �|�M�Φb�ؼж��ؤ����ݩʤl���W�C
�U�C LDIF �d���� Engineering Admins �s�ժ�������ק� Engineering �~�����O���Ҧ����ت� departmentNumber �P manager �ݩʡC���d�Ҩϥ� LDAP �z��覡��� businessCategory �ݩʳ]�� Engineering ���Ҧ����ءG
dn:dc=example,dc=com
objectClass:top
objectClass:organization
aci:(targetattr="departmentNumber || manager")
(targetfilter="(businessCategory=Engineering)")
(version 3.0; acl "eng-admins-write"; allow (write)
groupdn ="ldap:///cn=Engineering Admins, dc=example,dc=com";)
�ϥ� LDAP �z�ᄍ�N�ݩʭȳ]���ؼ�
�i�H�ϥΦs���N�S�w�ݩʭȳ]���ؼСC�o��ܱz�i�H�̾��ݩʭȬO�_�ŦX ACI ���w�q�����A�ӱ»P�Ωڵ��v���C�̾��ݩʭȱ»P�Ωڵ��s���v�� ACI �٬��H�Ȭ���¦�� ACI�C
�Ҧp�A�i�H�»P��´���Ҧ��ϥΪ̭ק諸�v���A�H�ק�L�̦ۤv���ؤ��� nsRoleDN �ݩʡC��O�A�z�]�Ʊ�T�O�L�̤��|���ۤv��P�Y�ǭ��n����A�p�uTop Level Administrator�v�CLDAP �z�ᄍ�i�Ψ��ˬd�ݩʭȬO�_�ŦX���C
�Y�n�إߥH�Ȭ���¦�� ACI�A�����H�U�C�y�k�ϥ� targattrfilters ����r�G
(targattrfilters="add=attr1:F1 && attr2:F2...&& attrn:Fn,
del=attr1:F1 && attr2:F2 ...&& attrn:Fn")�䤤�G
�إ߶��خɡA�p�G�N�z�ᄍ�M�Ψ�s���ؤ����ݩʡA�h���ݩʪ��C�ӹ�ҳ����������ӿz�ᄍ�C�R�����خɡA�p�G�N�z�ᄍ�M�Φb�Ӷ��ؤ����ݩʡA�h���ݩʪ��C�ӹ�Ҥ]�����������ӿz�ᄍ�C
�קﶵ�خɡA�p�G�@�~�[�J�ݩʡA�h���������M�Φb���ݩʪ��[�J�z�ᄍ�F�p�G�@�~�R���ݩʡA�h���������M�Φb���ݩʪ��R���z�ᄍ�C�p�G�w�s�b�ؤ����ݩʪ��ӧO�ȳQ��N�F�A�h�����P�ɺ����[�J�P�R���z�ᄍ�C
�Ҧp�A�ЦҼ{�U�C�ݩʿz�ᄍ�G
(targattrfilters="add=nsroleDN:(!(nsRoleDN=cn=superAdmin)) && telephoneNumber:(telephoneNumber=123*)")
���z�ᄍ�i�ΨӤ��\�ϥΪ̱N��� (nsRoleDN �ݩ�) �[�J��ۤv�����ؤ��A�� superAdmin ���Ⱓ�~�C���]���\�ϥΪ̥[�J�r���� 123 ���q�ܸ��X�C
�N��@�ؿ�س]���ؼ�
�S����T����k�i�H�N��@���س]���ؼСC���٬O�i�H���o��G
- �Q�Ϋإ߳s���W�h�A�N�s���n�D�����ϥΪ̿�J��3�x�s�b�ؼж��ؤ����ݩʭȡC�p�ݧ�h�ԲӸ�ơA�аѾ\�u�ھڬ۲ŭȩw�q�s��v�C
- �ǥѨϥ� targetfilter ����r�C
�ǥѨϥ� targetfilter ����r�A�z�K�i�H��w�u�|�b�һݶ��ؤ��X�{���ݩʭȡC�Ҧp�A�b Directory Server �w�˴v��|�إߤU�C ACI�G
aci:(targetattr="*")(targetfilter=(o=NetscapeRoot))
(version 3.0; acl "Default anonymous access";
allow (read, search) userdn="ldap:///anyone";)�� ACI �u��M�Φb o=NetscapeRoot ���ءA�]���u���o�Ӷ��ت� o �ݩʭȬO NetscapeRoot�C
�ϥγo�Ǥ�k�H���ӨӪ����I�O�z���𪬥ؿ�ӥi��|���ܡA���ɽаȥ��O�o�n�ק惡 ACI�C
�ϥΥ����w�q�ؼ�
�z�i�H�ϥΥ����b ACI ���ؼг��$��N�� DN�A�]���̨Τƥؿ�ϥΪ� ACI �ƥءC�p�ݸԲӸ�T�A�аѾ\�u�i�����s���G�ϥΥ��� ACI�v�C
�w�q�v��
�v���i�H��w���\�Ωڵ��s�������C�i�H���\�Ωڵ��b�ؿ���S�w�@�~���v���C�U�إi�ѫ�w���@�~�٬��v�Q�C
�]�w�v���,���ӳ��!G
���\�Ωڵ��s��
�i�H��T���\�Ωڵ��s��𪬥ؿ��v���C�p�������3���\�P�ڵ��s��Բӻ���A�аѾ\�mDirectory Server Deployment Planning Guide�nChapter 7 "Designing Access Control"�C
��w�v�Q
�v�Q�ԲӦC�X�ϥΪ̥i��ؿ��ư�檺�S�w�@�~�C�i�H���\�Ωڵ��Ҧ��v�Q�A�]�i�H��w�U�C�@�Φh���v�Q�G
Ū��C��ܨϥΪ̬O�_��Ū��ؿ��ơC���v���ȾA�Ω�j�M�@�~�C
�g�J�C��ܨϥΪ̬O�_��[�J�B�ק�ΧR���ݩ��H�קﶵ�ءC���v���A�Ω�ק�P modrdn �@�~�C
�[�J�C��ܨϥΪ̬O�_��إ������C���v���ȾA�Ω�[�J�@�~�C
�R���C��ܨϥΪ̬O�_��R�������C���v���ȾA�Ω�R���@�~�C
�j�M�C��ܨϥΪ̬O�_��j�M�ؿ��ơC�ϥΪ̥����֦��j�M�PŪ���v�Q�A�~��N�Ǧ^����Ƶ�j�M���G���@����C���v���ȾA�Ω�j�M�@�~�C
���C��ܨϥΪ̬O�_��N�L�̴��Ѫ���ƻP�ؿ��x�s����ư����C�Y�֦�����v�Q�A�ؿ�b�^3�d�߮ɷ|�Ǧ^���\�Υ��ѰT���A��ϥΪ̬ݤ��춵�ة��ݩʪ��ȡC���v���ȾA�Ω���@�~�C
�ۼg�C��ܨϥΪ̬O�_��b�ؼж��ت��ݩʤ��[�J�ΧR���L�̦ۤv�� DN�C���ݩʪ��y�k�����O�u��O�W�١v�C���v�Q�ȨѸs�պz���ΡC�ۼg�n�t�X�N�z���Ҥ@�_�ϥΡG���|�»P�q�s�ն��ؤ��[�J�ΧR���N�z DN ���v�Q (���O�s���ϥΪ̪� DN)�C
�N�z�C��ܫ�w�� DN �O�_��ϥΥt�@�Ӷ��ت��v�Q�s��ؼСC�z�i�H�ϥΥؿ���ϥΪ̪� DN (�ؿ�z�� DN ���~) �»P�N�z�s���v�C���Ȧp���A�z�L�k�N�N�z�v�Q�»P�ؿ�z��C�u�N�z���� ACI �d�ҡv�����ѤF�@�ӽd�ҡC
�����C��ܫ�w�� DN ��ؼж��ؾ֦��Ҧ��v�Q (Ū��B�g�J�B�j�M�B�R���B���P�ۼg)�A�����]�A�N�z�v�Q�C
�v�Q���»P�����W�ߡC�o�����o�[�J�v�Q���ϥΪ̥i�H�إ߶��ءA��p�G�ӨϥΪ̤����S�O��o�R���v�Q�A�h�L�k�R�����ءC�]���A�W���ؿ�s�����ɡA�����T�w�»P�v�Q���覡��ϥΪ̦��N�q�C�Ҧp�A�u�»P�g�J�v���A�o���»PŪ��P�j�M�v���A�K�S���N�q�C
LDAP �@�~�һݪ��v�Q
���`����ھڱz�n���v�ϥΪ̰�椧 LDAP �@�~�����P�A�z�����»P�ϥΪ̤��P���v�Q�C
�[�J���ءG
�R�����ءG
�קﶵ�ت��ݩʡG
�קﶵ�ت� RDN�G
����ݩʭȡG
�j�M���ءG
�ѷӤU�C�d�ҡA�i�H��e��F�ѭn���\�ϥΪ̷j�M�ؿ�ҥ����]�w���v���C�Ы�ҤU�C�j�M�G
ldapsearch -h host -p port -D "uid=bjensen,dc=example,dc=com" \
-w password -b "dc=example,dc=com" \
"(objectclass=*)" mail�ϥΤU�C ACI �M�w bjensen �ϥΪ̬O�_����o�s���v�G
aci:(targetattr = "mail")(version 3.0; acl "self access to
mail"; allow (read, search) userdn = "ldap:///self";)�j�M���G�M��ťաA�]���� ACI �����\ bjensen �b objectclass �ݩʤW�j�M���v���C�p�G�Ʊ�W�z���j�M�@�~���\�A�����ק� ACI �H�KŪ��A�p�U�G
aci:(targetattr = "mail || objectclass")(version 3.0; acl "self
access to mail"; allow (read, search) userdn = "ldap:///self";)�v���y�k
�b ACI ���z�����A�v�����y�k���G
allow|deny (rights)
�䤤 rights �O�A���� 1 �� 8 �ӥH�r���9j������r�M��C��������r�� read�Bwrite�Badd�Bdelete�Bsearch�Bcompare�Bselfwrite�Bproxy �� all�C
�b�U�C�d�Ҥ��A�p�G�s���W�h�����G�O���T�A�K���\Ū��B�j�M�P���s��G
aci:(target="ldap:///dc=example,dc=com") (version 3.0;acl
"example"; allow (read, search, compare) bindRule;)
�s���W�h��ؿ�w�q�� ACI �����P�A���ǧ@�~�����s����ؿ�C�s����ܴ��ѳs�� DN �P�K�X (�p�G�ϥ� SSL�A�h���Ѿ���) ��z�ۨ��n�J�ؿ�γq�L�ؿ����ҡC�s���@�~���Ҵ��Ѫ����ҡA�H�γs�������p���i�M�w�O�_���\�Ωڵ��s��ؿ�C
ACI �����C���v���ճ����@�ӹ�3���s���W�h�A���W�h�ԲӦC�X���n�����һP�s���ѼơC
²�檺�s���W�h�i��ݭn�s��ؿ�ϥΪ̥����ݩ�S�w���s�աC����s���W�h�i����ϥΪ̥����ݩ�S�w�s�աA�ӥB�����b�W�� 8 �I��U�� 5 �I�����q�S�w IP ��}���q���n�J�C
�s���W�h�W�w�i�H�s��ؿ�H��B�ɶ��P�a�I�C�s���W�h�i�H�����a�W�w�G
���~�A�i�H�ϥΥ��L�B��l�N�o�DZ��[�H�զX�A��s�������c��[����C�p�ݧ�h��T�A�аѾ\�u�ϥΥ��L�s���W�h�v�C
��A���|�ھ������� LDAP �z�ᄍ�ɩҨϥΪ��T����A�ӵ�� ACI ���ҥΪ���B�⦡�A�p�uRFC 2251 ���q���ؿ�s��q�T��w (v3) �v���ҭz�C�`�Ө����A�o��ܦp�G�B�⦡�������Q�����w�q (�Ҧp�A�p�G�]���귽����ϹB�⦡����)�A�h��A���|���T�a�B�z�o�ر��p�G�����|�]�������L�B�⦡���X�{���w�q���ȡA�ӿ�~�a�»P�s���v�C
�s���W�h�y�k
�H ACI ���s���W�h�O�_�����T�A�@���O�_�n���\�Ωڵ��s��̾ڡC�s���W�h�ϥΤU�C��ؼҦ����@�G
keyword = "expression";
keyword != "expression";
�䤤���� (=) ��� keyword �P expression �����ŦX�A�s���W�h�~�|�������T�F�Ӥ����� (!=) �h��� keyword �P expression �������ŦX�A�s���W�h�~�|�������T�C
expression �P�� ("") �M�9j���_�� (;) �O���n���C�i�Ϊ��B�⦡�������p�� keyword �өw�C
�U��C�X�C������r�P���p���B�⦡�A�ë�X�B�⦡���O�_���\�U�Φr���C
�U�C�U�`�N�i�@�B�Բӻ���C������r���s���W�h�y�k�C
�w�q�ϥΪ̦s�� - userdn ����r
�ϥΪ̦s��O�� userdn ����r�өw�q�Cuserdn ����r�ݱĥΤU�C�榡���@�Φh�Ӧ��Ŀ�O�W�١G
userdn = "ldap:///dn [|| ldap:///dn]..."
userdn != "ldap:///dn [|| ldap:///dn]..."�䤤 dn �i�H�O DN �άO anyone�Ball�Bself �� parent ���B�⦡���@�C�o�ǹB�⦡�|�ѷӤU�C�ϥΪ̡G
userdn ����r�]�i�H��ܬ��p�U�C�榡�� LDAP �z�ᄍ�G
userdn = ldap:///suffix??sub?(filter)
�ΦW�s�� (anyone ����r)
�»P�ΦW�s��ؿ��v���A��ܤ��׳s�����p�p��A���H�����ݴ��ѳs�� DN �αK�X�Y�i�s��ӥؿ�C�i�H�N�ΦW�s���b�S�w�������s�� (�Ҧp�AŪ��s��ηj�M�s��)�A�άO����b�S�w�𪬤l�ؿ�A�Υؿ�ӧO���ءC�ϥ� anyone ����r���ΦW�s��]���\������ҨϥΪ̦s��C
�Ҧp�A�p�G�n���\�ΦWŪ��M�j�M�s���� example.com �𪬥ؿ�A�Цb dc=example,dc=com �`�I�W�إߤU�C ACI�G
aci:(version 3.0; acl "anonymous-read-search";
allow (read, search) userdn = "ldap:///anyone";)�@��s�� (all ����r)
�i�H�γs���W�h����v���A�Ω\�s���ӥؿ���H�C�]���Aall ����r���\�Ҧ����ҨϥΪ̦s��C�p���@�ӬJ�i�H���\�@��s��A�P�ɤS�ਾ��ΦW�s��C
�Ҧp�A�p�G�n�N��Ӿ𪬥ؿ�Ū��s��»P�Ҧ����ҨϥΪ̡A�Цb dc=example,dc=com �`�I�W�إߤU�C ACI�G
aci:(version 3.0; acl "all-read"; allow (read)
userdn="ldap:///all";)�ۨ��s�� (self ����r)
��w���v�Ωڵ��ϥΪ̦s��L�̦ۤv�����ءC�b�����p�U�A�p�G�s�� DN �ŦX�ؼж��ت� DN�A�K�»P�Ωڵ��s��C
�Ҧp�A�p�G�n���v example.com �𪬥ؿ�Ҧ��ϥΪ̧��i�g�J�s��� userPassword �ݩʡA�Цb dc=example,dc=com �`�I�W�إߤU�C ACI�C
aci:(targetattr = "userPassword") (version 3.0; acl
"modify own password"; allow (write) userdn = "ldap:///self";)��ئs�� (parent ����r)
��w�ߦ��s�� DN �O�ؼж��ت���خɡA�~�»P�Ωڵ��ϥΪ̦s��Ӷ��ءC�Ъ`�N�A�����b Server Console ����ʽs�� ACI�A�~��ϥ� parent ����r�C
�Ҧp�A�p�G�n���\�ϥΪ̥i�ק�L�̳s�� DN �����l���ءA�Цb dc=example,dc=com �`�I�W�إߤU�C ACI�G
aci:(version 3.0; acl "parent access";
allow (write) userdn="ldap:///parent";)LDAP URL
�i�H�b ACI ���ϥΤU�C�]�t�z�ᄍ�� URL�A�ʺA�a�N�ϥΪ̳]���ؼСG
userdn = "ldap:///<suffix>??sub?(filter)"
�Ҧp�A�ھڤU�C URL�A�ʺA�a���v�Ωڵ� example.com �𪬥ؿ� accounting �P engineering �$䤺�Ҧ��ϥΪ̦s��ؼи귽���v���G
userdn = "ldap:///dc=example,dc=com??sub?(|(ou=eng)(ou=acct))"
�p�ݸԲӸ�T�A�аѾ\�mDirectory Server Administration Reference�n���� Chapter 6 "LDAP URL Reference"�C
�U�Φr��
�]�i�H�ϥθU�Φr�� (*) ��w�@�ըϥΪ̡C�Ҧp�A��w uid=b*,dc=example,dc=com ���ϥΪ� DN�A�i��ܨ̾ڱz�]�w���v���A�u���\�Ωڵ��s�� DN �O�H b ���}�Y���ϥΪ̪��s���v���C
LDAP URL ���� OR
��w�ƭ� LDAP URL ������r�B�⦡�H�إߨϥΪ̦s�����W�h�C�Ҧp�G
userdn = "ldap:///uid=b*,c=example.com ||
ldap:///cn=b*,dc=example,dc=com";�P��@ DN �Ҧ��s�����ϥΪ̤��s���W�h�Q���u�C
�ư��S�w LDAP URL
�ϥΤ����� (!=) �B��r�w�q�ư��S�w URL �� DN ���ϥΪ̦s��C�Ҧp�G
userdn != "ldap:///uid=*,ou=Accounting,dc=example,dc=com";
�p�G�Τ�ݤ��O�H accounting �𪬤l�ؿ�H UID ����¦����O�W�٨ӳs���A�h�s���W�h�|�Q�����T�C�u����ؼж��ؤ��b�𪬥ؿ� accounting �$�U�ɡA���s���W�h�~���D�z�C
�w�q�s�զs�� - groupdn ����r
�S�w�s�ժ�����i�s��ؼи귽�F�o�٬��s�զs���C�s�զs��O�� groupdn ����r�w�q�A�H��w�ϥΪ̦p�G���ݩ�S�w�s�ժ� DN �s���A�Y���v�Ωڵ��ӨϥΪ̦s��ؼж��ءC
groupdn ����r�ݭn�ĥΤU�C�榡���@�Φh�Ӹs�աG
groupdn="ldap:///groupDN [|| ldap:///groupDN]..."
�p�G�s�� DN �ݩ��� groupDNs.��w���s�աA�h�s���W�h�|�Q�����T�C�U�`�ϥ� groupdn ����r���ѽd�ҡC
��@ LDAP URL
groupdn = "ldap:///cn=Administrators,dc=example,dc=com";
�p�G�s�� DN �ݩ� Administrators �s�աA�h�s���W�h�|�Q�����T�C�p�G�n�N��Ӿ𪬥ؿ�g�J�v���»P�� Administrators �s�աA�Цb dc=example,dc=com �`�I�W�إߤU�C ACI�G
aci:(version 3.0; acl "Administrators-write"; allow (write)
groupdn="ldap:///cn=Administrators,dc=example,dc=com";)LDAP URL ���� OR
groupdn = "ldap:///cn=Administrators,dc=example,dc=com ||
ldap:///cn=Mail Administrators,dc=example,dc=com";�p�G�s�� DN �ݩ� Administrators �� Mail Administrators �s�աA�h�s���W�h�|�Q�����T�C
�w�q����s�� - roledn ����r
�S�w���⪺����i�s��ؼи귽�F�o�٬�����s���C����s��O�� roledn ����r�w�q�A�H��w�ϥΪ̦p�G���ݩ�S�w���⪺ DN �s���A�Y���v�Ωڵ��ӨϥΪ̦s��ؼж��ءC
roledn ����r�ݭn�ĥΤU�C�榡���@�Φh�Ӧ��Ŀ�O�W�١G
roledn = "ldap:///dn [|| ldap:///dn]...[|| ldap:///dn]"
�p�G�s�� DN �ݩ��w������A�h�s���W�h�|�Q�����T�C
roledn ����r�P groupdn ����r���y�k�P�Ϊk���@�ˡC
�ھڬ۲ŭȩw�q�s��
�i�H�]�w�s���W�h�A�H��w�Ψӳs���ؿ���ݩʭȥ����P�ؼж��ت��ݩʭȬ۲šC
�Ҧp�A�i�H��w�s�� DN �����P�ϥΪ̶��ؤ� manager �ݩʪ� DN �۲šA�~��M�� ACI�C�b�����p�U�A�u���ϥΪ̪��z��i�H�s��Ӷ��ءC
���d�ҬO�ھ� DN �۲ŭȡC�M�ӡA�i�H�N�s�����ҥζ��ت�����ݩʻP�ؼж��ؤ��C�Ҧp�A�i�H�إ� ACI�A���\ favoriteDrink �ݩʬ��ubeer�v�����ϥΪ�Ū��� favoriteDrink �ȬۦP����L�ϥΪ̪��Ҧ����ءC
�ϥ� userattr ����r
userattr ����r�i�Ψӫ�w�s�����ػP�ؼж��ؤ��������۲Ū��ݩʭȡC
�i�H��w�G
userattr ����r�� LDIF �y�k�p�U�G
userattr = "attrName#bindType"
�Ϊ̡A�p�G�ثe�ϥΪ��ݩ������ݭn���Ȭ��ϥΪ� DN�B�s�� DN�B���� DN �� LDAP �z�ᄍ�H�~���ȡG
userattr = "attrName#attrValue"
�䤤�G
�U�C�U�`���� userattr ����r�ϥΦU�ؤ��P�s���������d�ҡC
�ϥ� USERDN �s���������d��
�U�C���P�H�ϥΪ� DN ����¦���s�������p�� userattr ����r�d�ҡG
userattr = "manager#USERDN"
�p�G�s�� DN �P�ؼж��ؤ� manager �ݩʪ��Ȭ۲šA�h�s���W�h�|�Q�����T�C�i�H�ϥγo�ؤ覡���\�ϥΪ̪��z��ק��u�ݩʡC�u����ؼж��ؤ��� manager �ݩʪ�ܦ����� DN �ɡA�����~���@�ΡC
�U�C�d�ҷ|���v�z��i����s����u���ت��v���G
aci:(target="ldap:///dc=example,dc=com")(targetattr="*")
(version 3.0;acl "manager-write";
allow (all) userattr = "manager#USERDN";)�ϥ� GROUPDN �s���������d��
�U�C���P�H�s�� DN ����¦���s�������p�� userattr ����r�d�ҡG
userattr = "owner#GROUPDN"
�p�G�s�� DN �O�ؼж��� owner �ݩʤ���w���s�զ���A�h�s���W�h�|�Q�����T�C�Ҧp�A�i�H�ϥΦ����H���\�s�պz��u�����A��T�C�i�H�ϥ� owner �H�~���ݩʡA�u�n�ҨϥΪ��ݩʤ��]�t�s�ն��ت� DN�C
�z�ҫ�V���s�եi�H�O�ʺA�s�աA�ӥB�s�ժ� DN �i�H�b�ؿ���=X�U�C�M�ӡA�Ѧ�A�����o�� ACI �|�D�`�ӶO�귽�C
�p�G�ϥλP�ؼж��ئb�P�@�=X�U���R�A�s�աA�i�H�ϥΤU�C�B�⦡�G
userattr = "ldap:///dc=example,dc=com?owner#GROUPDN"
�b���d�Ҥ��A�s�ն��ئ�b dc=example,dc=com �=X�U�C��A���B�z���������y�k���t�|��W�@�ӽd�ҧ֡C
�ϥ� ROLEDN �s���������d��
�U�C���P�H���� DN ����¦���s�������p�� userattr ����r�d�ҡG
userattr = "exampleEmployeeReportsTo#ROLEDN"
�p�G�s�� DN �ݩ�ؼж��ت� exampleEmployeeReportsTo �ݩʤ���w������A�h�s���W�h�|�Q�����T�C�Ҧp�A�p�G�����q�����Ҧ��z��إ߱_������A�z�i�H�ϥΦ������v�Ҧ����h���z��i�s����h��z��C����u����T�C
���⪺ DN �i�b�ؿ���=X�U�C���~�A�p�G�z�ϥοz�諸����A���o�� ACI �|�ӥΦ�A���W�j�q���귽�C
�ϥ� LDAPURL �s���������d��
�U�C���P�H LDAP �z�ᄍ����¦���s�������p�� userattr ����r�d�ҡG
userattr = "myfilter#LDAPURL"
�p�G�s�� DN �ŦX�ؼж��ت� myfilter �ݩʤ���w���z�ᄍ�A�h�s���W�h�|�Q�����T�Cmyfilter �ݩʥi�H�ѥ]�t LDAP �z�ᄍ������ݩʨ�N�C
�ϥΥ���ݩʭȪ��d��
�U�C���P�H����ݩʭȬ���¦���s�������p�� userattr ����r�d�ҡG
userattr = "favoriteDrink#Beer"
�p�G�s�� DN �P�ؼ� DN �]�t�� Beer �Ȫ� favoriteDrink �ݩʡA�h�s���W�h�|�Q�����T�C
�b userattr ����r���ϥ��~��
��ϥ� userattr ����r�N�s���ҥζ��ػP�ؼж��ز������p�ɡAACI �u�|�M�Φb��w���ؼСA�Ӥ��|�M�Φb��U�����ءC�b�Y�Ǫ��p�U�A�z�i��Ʊ�N ACI ���M�Υѥؼж��ئV�U����X�Ӽh�šC�u�n�ϥ� parent ����r�A�ë�w�ؼФ��U3�~�� ACI ���h�żơA�N�i�H��o��C
��ϥλPparent ����r�����p�� userattr ����r�ɡA�y�k�p�U�G
userattr = "parent[inheritance_level].attribute#bindType"
�䤤 :
�Ҧp�G
userattr = "parent[0,1].manager#USERDN"
�p�G�s�� DN �P�ؼж��ت� manager �ݩʬ۲šA�h�s���W�h�|�Q�����T�C��s���W�h�����T�ɡA�ұ»P���v���|�M�Φb�ؼж����H�����U�@�h���Ҧ����ءC
�ϥ� userattr �~�Ӫ��d��
�U�Ϥ����d�Ҫ�ܤ��\ bjensen �ϥΪ�Ū��P�j�M cn=Profiles ���ءA�H�Υ]�t cn=mail �P cn=news ���Ĥ@�h�l���ءC
�� 6-1 �b userattr ����r���ϥ��~��
�b���d�Ҥ��A�p�G���ϥ��~�ӡA�N�������U�C��@���~����o�P�˪����G�G
�ϥ� userattr ����r�»P�[�J�v��
�p�G�N userattr ����r�f�t all �� add �v���@�_�ϥΡA�z�i��o�{��A�����B�@�覡�P�w�j��p���۲šC�@��Ө��b�ؿ�إ߷s���خɡADirectory Server �|��إߪ����ئӫD��ص���s���v�Q�C�M�Ӧb�ϥ� userattr ����r�� ACI ���A���B�@�覡�i��y���w���W���|�}�A�]���n�ק��A�����`���B�@�覡�H�קK�����p�o�͡C
�Ы�ҤU�C�d�ҡG
aci:(target="ldap:///dc=example,dc=com")(targetattr="*")
(version 3.0; acl "manager-write"; allow (all)
userattr = "manager#USERDN";)�� ACI �N�z���ݭ�u���ت������v�Q�»P�z��C��O�A�]���s���v�Q�O�b�إߪ����ؤW���A�o�� ACI �]�|���\����u�إ߶��ءA�ñN manager �ݩʳ]���L�̦ۤv�� DN�C�Ҧp�A���h��������u Joe (cn=Joe,ou=eng,dc=example,dc=com) �i��|�b�𪬥ؿ� Human Resources �$䤤�إ߶��ءA�H�ϥ� (���ݥ�) �»P Human Resources ��u���v���C
�L�i�H�Q�ΫإߤU�C���بӹF�����ت��G
dn:cn= Trojan Horse,ou=Human Resources,dc=example,dc=com
objectclass:top
...
cn:Trojan Horse
manager:cn=Joe,ou=eng,dc=example,dc=com���קK�o���w���ʫ¯١AACI ���B�z�{�Ǥ��|�b�h�� 0 (�]�N�O���إ���) �»P�[�J�v���A��z�i�H�� parent ����r�»P�{�����ؤU���[�J�v�Q�C�z������w��ؤU�ݭn�[�J�v�Q���h�żơC�Ҧp�A�U�C ACI ���\�� dc=example,dc=com ������إ[�J�l���ءA�u�n�Ӷ��ئ��ŦX�s�� DN �� manager �ݩʡG
aci:(target="ldap:///dc=example,dc=com")(targetattr="*")
(version 3.0; acl "parent-access"; allow (add)
userattr = "parent[0,1].manager#USERDN";)�� ACI �i�T�O�[�J�v���u�»P��s�� DN �P��ت� manager �ݩʬ۲Ū��ϥΪ̡C
�w�q�ӦۯS�w IP ��}���s��
�ϥγs���W�h�A�i�H��ܳs���@�~�����_���ۯS�w IP ��}�C�o�q�`�Ψӱj����Ҧ��ؿ��s���q��w���q���κ����o�͡C
�]�w�H IP ��}����¦���s���W�h�� LDIF �y�k�p�U�G
ip = "IPaddressList" �� ip != "IPaddressList"
IPaddressList �O�@�i�M��A�H�@�Φh�ӳr���N���$9j�A�䤤�����%i���U�C��@���G
- �S�w�� IPv4 ��}�G 123.45.6.7
- �ϥθU�Φr���� IPv4 ��}�A�H��w�l���G 12.3.45.*
- �ϥΤl���B�n�� IPv4 ��}�Τl���G 123.45.6.*+255.255.255.115
- ��Į榡�� IPv6 ��}�A��榡�w�q�� RFC 2373 (http://www.ietf.org/rfc/rfc2373.txt)�C�U�C��}�ۦP�G
- IPv6 ��}�Ψ�l���r����סG12AB::CD30:0:0:0:0/60
�p�G�s��ؿ�Τ�ݦ�b�R�W�� IP ��}���A�h�s���W�h�|�Q�����T�C�o���u���\�q�S�w�l���ιq���i��Y�إؿ�s��Ө��O�D�`���ΡC�ӦۨϥΪ����Ҫ� IP ��}�i�ण�O���T���A�]���L�k���H��C�ФŨ̳o�ظ�T�M�w ACI�C
�q Server Console �W�A�i�H�z�L [�s���s�边] �w�q�n�M�� ACI ���S�w�q���C�p�ݸԲӸ�T�A�аѾ\�u�ϥΥD���x�إ� ACI�v�C
�w�q�ӦۯS�w��쪺�s��
�s���W�h�i�H��w�s���@�~�����_���ۯS�w���ΥD��q���C�o�q�`�Ψӱj����Ҧ��ؿ��s���q��w���q���κ����o�͡C
�]�w�H DNS �D��W�٬���¦���s���W�h�� LDIF �y�k�p�U�G
dns = "DNS_Hostname" �� dns != "DNS_Hostname"
dns ����r�ݭn�����X�� DNS ���W�١C�Y�»P�D��s���v�A�o����w���A�|�y����b���w���ʫ¯١C�Ҧp�A�U�C�B�⦡��M�i�Q���\�A��ä���ij�z�p�����G
dns = "legend.eng";
3�ӨϥΧ����X��W�١A�Ҧp�G
dns = "legend.eng.example.com";
dns ����r���\�U�Φr���C�Ҧp�G
dns = "*.example.com";
�p�G�s��ؿ�Τ�ݦ�b�R�W�����A�h�s���W�h�|�Q�����T�C�o���u���\�q�S�w���i��s��D�`���ΡC�Ъ`�N�A�p�G�t�ΨϥΪ��W�٪A�ȨëD DNS �A�h�U�Φr���N�L�@�ΡC�b�o�ر��p�U�A�p�G�n����s��S�w���A�Шϥ� ip ����r�A�p�u�w�q�ӦۯS�w IP ��}���s��v���ҭz�C
�w�q��S�w�ɶ��Τ�fs��
�i�H�γs���W�h��w�s���u��o�ͦb�@�Ѥ����Y�Ӯɶ��A�Τ@�P�j��Y�@�ѡC�Ҧp�A�i�H�]�w�@��W�h�A�u���\�b�P�d@��P�d����W�� 8 �I��U�� 5 �I�����i��s��C�Ψӵ��s���v�Q���ɶ��O�ؿ��A���W���ɶ��A�ӫD�Τ�ݤW���ɶ��C
�]�w�H�@�Ѥ��Y�@�ɬq����¦���s���W�h�� LDIF �y�k�p�U�G
timeofday operator "time"
�䤤 operator �i���U�C�Ÿ����@�G���� (=)�B������ !=}�B�j�� (>)�B�j��ε��� (>=)�B�p�� <} �Τp��ε��� (<=)�C�H�|��ƪ��24�p�ɮɶ��榡���ɼƻP���� (0 �� 2359)�C�Ҧp�G
- �p�G�Τ�ݦb�t�ή�����ܤ��Ȯɪ����@���fs��ؿ�A�h timeofday = "1200"; ���u�C
- �b���W 1 �I�H�~���ɶ��s��Atimeofday != "0100"; ���u�C
- �q���W 8:01 ��U�� 11:59 �����s��Atimeofday > "0800"; ���u�C
- �q���W 8:00 ��U�� 11:59 �����s��Atimeofday > "0800"; ���u�C
- �q���W 12:00:00 ��U�� 5:59 �����s��Atimeofday < "1800"; ���u�C
�]�w�H�@�P�d��Y�Ѭ���¦���s���W�h�� LDIF �y�k�p�U�G
dayofweek = "day1, day2 ..."
dayofweek ����r�i��Ȭ��@�P�d��U�Ѫ��T�ӭ^��r���Y�g�Gsun�Bmon�Btue�Bwed�Bthu�Bfri�Bsat�C��w�z�Q�n�»P�s���v���Ҧ���aA�Ҧp�G
dayofweek = "Mon, Tue, Wed, Thu, Fri";
�p�G�b�C�X���䤤�@�Ӥ�fs��ؿ�A�h�s���W�h���u�C
�w�q�H���Ҥ�k����¦���s��
�i�H�]�w�s���W�h�A���Τ�ݥ����ϥίS�w���Ҥ�k�s����ؿ�C�i�Ϊ����Ҥ�k�p�U�G
�Y�O SSL�A�s�u�����إߨ� LDAPS �ĤG�ӳs����F�Y�O TLS�A�s�u�����z�L Start TLS �@�~�إߡC�o��ت��p���������Ѿ��ҡC�p�ݳ]�w SSL ����T�A�аѾ\�� 11 ���u�z���ҩM�[�K�v�C
�z�L�k�z�L [�s���s�边] �]�w�H���Ҭ���¦���s���W�h�C
�]�w�H���Ҥ�k����¦���s���W�h�� LDIF �y�k�p�U�G
authmethod = "authentication_method"
�䤤 authentication_method �O none�Bsimple�Bssl �� sasl sasl_mechanism�C�Ҧp�G
�d��
�U�C�O authmethod ����r���d�ҡG
- authmethod = "none"; �s���W�h���v����|�ˬd���ҡC
- authmethod = "simple"; �p�G�Τ�ݨϥΨϥΪ̦W�ٻP�K�X�s��ؿ�A�h�s���W�h�����T�C
- authmethod = "ssl"; �p�G�Τ�ݨϥγz�L LDAPS �����Ҧs��ؿ�A�h�s���W�h�|�Q�����T�C�p�G�Τ�ݨϥγz�L LDAPS ��²������ (�s�� DN �P�K�X) �i�����ҡA�N���|�����T�C
- authmethod = "sasl DIGEST-MD5"; �p�G�Τ�ݨϥ� SASL DIGEST-MD5 ���s��ؿ�A�h�s���W�h�����T�C��L�䴩�� SASL �� EXTERNAL (�Ҧ����x) �M GSSAPI (�ȭ��� Solaris �t��)�C
�ϥΥ��L�s���W�h
�s���W�h�i�H�O�ϥΥ��L�B�⦡ AND�BOR �P NOT ������B�⦡�A�H�]�w�D�`��T���s��W�h�C�z�L�k�ϥ� Server Console �إߥ��L�s���W�h�A�z�����إ� LDIF ���z���C
���L�s���W�h�� LDIF �y�k�p�U�G
bindRule [boolean][bindRule][boolean][bindRule]...;)
�Ҧp�A�p�G�s�� DN �O�t�κz��s�թζl��z��s�ժ�����A�ӥB�Τ�ݬO�q example.com ��줺�����A�h�U�C�s���W�h�����T�G
(groupdn = "ldap:///cn=administrators,dc=example,dc=com" or
groupdn = "ldap:///cn=mail administrators,dc=example,dc=com" and
dns = "*.example.com";)��3B���8� (;) �O���n���9j�r���A�����X�{�b�̫᪺�s���W�h��C
���L�B�⦡�����Ǧp�U�G
���L OR �P���L AND �B��l�S���u��ǡC
�Ы�ҤU�C���L�s���W�h�G
(bindRule_A) OR (bindRule_B)
(bindRule_B) OR (bindRule_A)
�]�����L�B�⦡�O�ѥ���k���A�ҥH�b�Ĥ@�ӽd�Ҥ��A�|����s���W�h A�A�A���s���W�h B�A�Ӧb�ĤG�ӽd�Ҥ��A�h����s���W�h B�A�A���s���W�h A�C
��O���L NOT �|�b���L OR �P���L AND ���e ���C�]���A�b�U�C�d�Ҥ��G
(bind_rule_A) AND NOT (bind_rule_B)
�|����s���W�h B�A�A���s���W�h A�A�Ӥ��z�|�ѥ���k���W�h�C
�q��O��إ� ACI�z�i�H�ϥ� LDIF ���z����ʫإߦs����O�A�å� ldapmodify ��O�N���̥[�J��z���𪬥ؿ�C�]�� ACI �ȥi��D�`����A�z�̦n�˵�{�����ȡA�M��ƻs�_��0�z�إ߷s���ȡC
�˵� aci �ݩʭ�
�t���x�s ACI �@�����ؤW aci �ݩʪ��@�Φh�ӭȡCaci �ݩʬO�h���Ⱦާ@�ݩʡA�ؿ�ϥΪ̥iŪ��P�ק惡�ݩʡA�Ӧ��ݩʥ������ ACI �O�@�C�z�ϥΪ̳q�`�� aci �ݩʾ֦�����s���v�A�ӥB�i�ϥΤU�C�䤤�@�ؤ覡�˵�䤺�e�C
�i�H�b [�зǽs�边] ���˵� aci �ݩʭȡA�N�p�P����L�Ȥ@��C�b Directory Server Console �̤W�h�� [�ؿ�] ���ҤW�A�H�ƹ��k���@�U�� ACI �����ءA�ÿ�� [�H�зǽs�边�s��] �\��?�ءC��O�Aaci �ȳq�`�O��r��A���e��b����ܤ���˵�P�s��C
�]���A�i�H�אּ�b�𪬥ؿ�ؤW��@�U�ƹ��k��A�A��� [�]�w�s���v��] �\��?�إH�Ұ� [�s���s�边]�C��� ACI ���@�U [�s��]�A�A��@�U [��ʽs��]�A�Y�i�˵��3�� aci �ȡC�ǥѦb ACI ����ʻP��ı�ƽs�边�����t��A�i��� aci �Ȫ��y�k�P��պA�C
�p�G�z���@�~�t�Τ��\�A�z�i�H�q [�зǽs�边] �� [��ʦs���s�边] ���ƻs aci �ȡA�ñN���K�J�z�� LDIF �ɮסC�z�ϥΪ̤]�i�H���U�C ldapsearch ��O���˵�ت� aci �ݩʡG
ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
-b entryDN -s base "(objectclass=*)" aci���ͪ����G�O�z�i�H�K�J�s�� LDIF ACI �w�q�H�i��s�誺 LDIF ��r�C�]�� ACI ���ȬO��r��A�ҥH ldapsearch �ާ@�W����X�i����ܦb�Ʀ�W�A�t���@���s��аO���Ĥ@�ӪŮ�C�ƻs�M�K�W LDIF ��X�ɱN���C�J�Ҽ{�C
�Ƶ�
�Y�n�˵� aci �ȹ�»P�Ωڵ��v���Ҳ��ͪ��v�T�A�аѾ\�u�˵���v�Q�v�C
�ϥΥD���x�إ� ACI�i�H�t�m Directory Server Console �H��ܥؿ���Ƕ��ؾ֦� aci �ݩʡC���Ψ���� [�˵�] > [���] > [ACI �p��] �\���ﶵ�A�i�t�����ܡC�̤W�h [�ؿ�] ���Ҥ����M�涵�ثK�|���[�W�� aci �ݩʤ��w�w�q�� ACI �ƥءA���۱z�i�H�ϥ� Directory Server Console �˵�B�إߡB�s��P�R���ؿ�s����O�C
�p�� Directory Server �w���ʬF�����`�Ϊ��s���W�h���X�A�H�Ψϥ� Directory Server Console �إ߳o�dzW�h���B�J������A�аѾ\�u�s���Ϊk�d�ҡv�C
[�s���s�边] �L�k��z�b [��ı��] �s��Ҧ����غc������ ACI�C�ר�O�A�z�L�k�q [�s���s�边] ���G
- �ڵ��s�� (�аѾ\�u�v���y�k�v�v)
- �إߥH�Ȭ���¦�� ACI (�аѾ\�u�ϥ� LDAP �z�ᄍ�N�ݩʭȳ]���ؼСv)
- �w�q��ئs�� (�аѾ\�u��ئs�� (parent ����r)�v)
- �إߥ]�t���L�s���W�h�� ACI (�аѾ\�u�ϥΥ��L�s���W�h�v)
- �j�P�W�A�إߨϥΤU�C����r�� ACI�Groledn, userattr, authmethod
�˵�ت� ACI
- �b Directory Server Console �̤W�h�� [�ؿ�] ���ҤW�A�s��𪬥ؿ�A�H��ܭn�]�w�s�����ءC�����㦳�ؿ�t�κz��Υؿ�z���v���~��s�� ACI�C
- �H�ƹ��k���@�U���ءA�æb����\��?��� [�]�w�s���v��]�C�Ϊ̡A�H�ƹ������@�U���إH���ءA�A��� [����] �\��?�� [�]�w�s���v��]�C
�X�{�p�U�ϩҥܪ� [�s���z] ��ܤ��C�Ϥ��C�X�b����ؤW�w�q���Ҧ� ACI ���y�z�A�åi��z�i��s��A�β�����A�إ߷s���y�z�C
�� 6-2 [�s���z] ��ܤ��
��� [����~�Ӫ� ACI] �֨���C�X�Q���ؤ���ةҩw�q���Ҧ� ACI�A�H�ήM�Ψ춵�ت� ACI�C�~�Ӫ� ACI �L�k�Q�s��β����A�z�����b�w�q�� ACI �����ؤW�i��z�C
- ��@�U [�s�W] �b�����Ψ��Ӿ𪬤l�ؿ�W�w�q�s���s���v���C�X�{�p�� 6-3 �ҥܪ� [ACI �s�边]�C
�� 6-3 [ACI �s�边] ��ܤ��
��ܤ��W�誺 ACI �W�٬O�X�{�b [�s���z] ��ܤ��� ACI �y�z�C�]���y�z�ʪ� ACI �W�ٷ|�Ͼ�ӥؿ� ACI ���e��z�A�ר�b�˵��ؤW�~�Ӫ� ACI �ɡC
[�s���s�边] ���U�Ӽ��ҥi��z��w�Q�»P�Ωڵ��s��ϥΪ̡B�s��ξD����ؼСA�H�ζi���ѼơA�Ҧp���\���D��W�ٻP�@�~�ɬq���C�p����� [�s���] ���Ҥ��ӧO��쪺�ԲӸ�ơA�аѾ\�u�W����C
[ACI �s�边] ���U�Ӽ��Ҭ� ACI �Ȫ����e���ѹϧ���ܡC��@�U [��ʽs��] ��s�i�d�� ACI �ȨåΤ�r�覡�i��s��C�b��r�s�边���A�i�H�w�q�L�k�z�L���ҩw�q���i�� ACI�C��O�@���s�� ACI �Ȥ���A�Y�����ϥζi���\��A���@�˥i��A�]�L�k�H��ı�覡�s�� ACI�C
�إ߷s�� ACI
- ��� [�s���s�边]�C
���u�@�b�u�˵�ت� ACI�v��������C
�p�G��ܪ��˵�P�� 6-3 ���P�A�Ы�@�U [��ı�ƽs��] ��s�C
- �b [ACI �W��] ��r����J�W�١A�� ACI �R�W�C
�W�٥i�H�O���r��A�H�Ω�ߤ@�ѧO�� ACI�C�p�G����J�W�١A��A���|�ϥ� unnamed ACI�C
- �b [�ϥΪ�/�s��] ���Ҥ��A�ǥѤϥ���� [�����ϥΪ�]�A�Ϋ�@�U [�[�J] ��s�b�ؿ�j�M�n�[�J���ϥΪ̡A�H���n�»P�s���v���ϥΪ̡C
�b [�[�J�ϥΪ̩M�s��] ���G
- �b [�s���s�边] ���A��@�U [�v�Q] ���ҡA�A�ϥή֨�����n�»P���v�Q�C
- ��@�U [�ؼ�] ���ҡA�A��@�U [������] �H��ܧ@�� ACI �ؼЪ��`�I�C
�i�H�ܧ�ؼ� DN ���ȡA��s�� DN �����O���ت������ζ����l���C
�p�G���n�N���`�I�U�𪬤l�ؿ�C�@�Ӷ��س��@�� ACI ���ؼСA�z�����b [�l���ت��z�ᄍ] ��줤��J�z�ᄍ�C
���~�A�i�H�b�ݩʲM�椤���n�@���ؼЪ��ݩʡA�N ACI ���d��b�Y���ݩʡC
- ��@�U [�D��] ���ҡA�A��@�U [�[�J] �H��� [�[�J�D��z�ᄍ] ��ܤ��C
�i�H��w�D��W�٩� IP ��}�C�p�G��w IP ��}�A�h�i�H�ϥθU�Φr�� (*)�C
- ��@�U [�ɶ�] ���ҥH��ܪ��A�C�X���\�s��ɬq�C
�̹w�]�ȡA�H�ɳ����\�s��C�i�H�b���W��@�U�é즲��СA�H�ܧ�s��ɬq�F�z�L�k��ܤ��s�ɬq�C
- ��z�����s�� ACI ��A��@�U [�T�w]�C
�h�X ACI �s�边�A�s�� ACI �|�C�b [ACI �z��] ���C
�s�� ACI
�Y�n�s�� ACI�G
- �� [�ؿ�] ���ҤW�A�b�𪬤l�ؿ�ݶ��ؤW��@�U�ƹ��k��A�A�ѧ���\��?��� [�]�w�s���v��]�C
��� [�s���z��] ��C�ӵ�]�t�ݩت� ACI �M��C
- �b [�s���z��] ���A�ϥ���ܭn�s�誺 ACI�A�A��@�U [�s��]�C
��� [�s���s�边]�C�p�����i�Φ���ܤ��s���T���ԲӸ�ơA�аѾ\�u�W����C
- �b [�s���s�边] ���U�Ӽ��Ҥ��i��z�n���ܧ�C
- ��z�����s�� ACI ��A��@�U [�T�w]�C
�h�X ACI �s�边�A�Q�ק諸 ACI �|�C�b [ACI �z��] ���C
�R�� ACI
�Y�n�R�� ACI�G
�s���Ϊk�d�����`�����d�ұN����@�a�Q���� ISP ���q example.com �p�����s�����C�Ҧ��d�ҳ��|���&p��q�D���x�Ψϥ� LDIF �ɮװ���w���u�@�C
example.com ���~�Ȥ��e�O���Ѻ�N�ުA�Ȥκ�ں��s��Cexample.com ��N�ަ�����A�ȬO�x�s�Τ�ݤ��q���ؿ�C��ڤW�Aexample.com �x�s Company333 �P Company999 �o��a�������q���ؿ�A�ít�d���:z�u�@�C�������~�A���]���\�h�ӤH�q�ᴣ�Ѻ�ں��s��C
�H�U�O example.com �Ʊ��檺�s���W�h�G
- �N��� example.com �𪬥ؿ�Ū��B�j�M�P���ΦW�s���v���»P�� example.com ��u (�аѾ\�u�»P�ΦW�s��v)�C
- �N�g�J�s���v���»P�� example.com ��u�A�H��o homeTelephoneNumber�BhomeAddress �o���ӤH��T (�аѾ\�u���v�i�g�J�s��ӤH���ءv)�C
- ���v example.com ��u�i�b�䶵�ؤ��[�J���A��Y�ǭ��n���Ⱓ�~ (�аѾ\�u����s��n����v)�C
- �N People �$䤤���ت��Ҧ��v�Q�»P�� example.com Human Resources �s�� (�аѾ\�u�»P�=X���s�է���s��v)�C
- ���v�Ҧ� example.com ��u�i�b�ؿ� Social Committee �$�U�إ߸s�ն��ءA�H�Υi�R����֦����s�ն��� (�аѾ\�u�»P�[�J�P�R���s�ն��ت��v�Q�v)�C
- ���v�Ҧ� example.com ��u�i�N�L�̦ۤv�[�J�ؿ� Social Committee �$�U (�аѾ\�u���\�ϥΪ̦b�s�դ��[�J�β����L�̦ۤv�v)�C
- ���v Company333 �P Company999 ���ؿ�z�� (����) �i�'O�s��𪬥ؿ�U�۪��$�A����a�Y�DZ��A�Ҧp SSL ���ҡB�ɶ��P��m���Ϋ�w��m�� (�аѾ\�u�N��s��»P�s�թΨ���v)�C
- ���v�ӧO�q��i�s��L�̦ۤv������ (�аѾ\�u���v�i�g�J�s��ӤH���ءv)�C
- �ڵ��ӧO�q��s��L�̦ۤv���ؤ����b���T (�аѾ\�u�ڵ��s��v)�C
- ���v�����@�ɥi�ΦW�s��ӧO�q��𪬤l�ؿ�A��w�S�O�n�D���C�W���q�ᰣ�~�C(�ؿ�o�ӳ��%i�H�O�����~�B�C�ѧ�s�@�����q�ݦ�A���C)�аѾ\�u�»P�ΦW�s��v�P�u�ϥοz�ᄍ�]�w�ؼСv�C
�»P�ΦW�s��
�j���%ؿ�B�@�覡�O�z�ܤ֥i�H�ΦW�s��@�ӧ=X�A�i��Ū��B�j�M�Τ��C�Ҧp�A�p�G���@�ӥi�ѭ�u�j�M�����q�H�ƥؿ� (�Ҧp�q��ï)�A�z�N�i��Ʊ�]�w�o���v���Cexample.com �����N�O�o�˪����p�A�o�|�b ACI "Anonymous example.com" �d�Ҥ�����C
�@���@�� ISP�Aexample.com �]�n�إߥi�ѥ��@�ɦs���}�q��ï�A�H���i�Ҧ��q�᪺�p����T�C�o�|�b ACI "Anonymous World"�d�Ҥ��ѻ��C
ACI "Anonymous example.com"
�b LDIF ���A�Y�n�N��� example.com �𪬥ؿ�Ū��B�j�M�P����v���»P example.com ��u�A�м��g�U�C���z���G
aci:(targetattr !="userPassword")(version 3.0; acl "Anonymous
example"; allow (read, search, compare)
userdn= "ldap:///anyone" and dns="*.example.com";)���d�Ұ��]�N aci �[�J�� dc=example,dc=com ���ءC�Ъ`�N�AuserPassword �ݩʤ��b ACI ���d�C
�i���U�C�@�~�A�q�D���x�]�w���v���G
- �� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�W��@�U�ƹ��k��A�A��ܧ��㦡�\��? [�]�w�s���v��] �H��� [�s���z��]�C
- ��@�U [�s�W] ��� [�s���s�边]�C
- �b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Anonymous example.com]�C���ˬd [�����ϥΪ�] �w�g��ܦb�»P�s���v�����ϥΪ̲M�椤�C
- �b [�v�Q] ���ҤW�A�Ŀ�Ū��B���P�j�M�v�Q���֨���C�нT�{�w�g�M����L���֨���C
- �b [�ؼ�] ���ҤW�A��@�U [������]�A�� dc=example,dc=com �=X�b�ؼХؿ����줤��ܡC�b�ݩʪ?��� userPassword �ݩʡA�òM����3���֨���C
3�ӤĿ�Ҧ���L���֨���C�p�G��@�U [�W��] ���Y�A�N�ݩʲM��̦r�6��DZƦC�A�h�o���u�@�|���e��i��C
- �b [�D��] ���ҤW��@�U [�[�J]�A�æb DNS �D��z�ᄍ��줤��J *.example.com�C��@�U [�T�w] �h�X��ܤ��C
- �b [�s���s�边] ����@�U [�T�w]�C
�N�s�� ACI �[�J�� [�s���z��] ���ҦC�ܪ� ACI ���C
ACI "Anonymous World"
�b LDIF ���A�Y�n�N�ӧO�q��𪬤l�ؿ�Ū��P�j�M�s��»P���@�ɡA�P�ɩڵ��s��C�W�q�᪺��T�A�z�i�H���g�U�C���z���G
aci:(targetfilter= "(!(unlistedSubscriber=yes))")
(targetattr="homePostalAddress || homePhone || mail")
(version 3.0; acl "Anonymous World"; allow (read, search)
userdn="ldap:///anyone";)���d�Ұ��]�N ACI �[�J�� ou=subscribers,dc=example, dc=com ���ءC�ð��]�C�ӭq�ᶵ�س��� unlistedSubscriber �ݩʡA�ӥB�]�� yes �� no�C�ؼЩw�q�|�ھڦ��ݩʭȿz�ﱼ���C�W���q��C�p�����z�ᄍ�w�q���ԲӸ�ơA�аѾ\�u�ϥοz�ᄍ�]�w�ؼСv�C
�i���U�C�@�~�A�q�D���x�]�w���v���G
- �� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�U�� [ñ�p��] ���ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���z��]�C
- ��@�U [�s�W] ��� [�s���s�边]�C
- �b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Anonymous World]�C���ˬd [�����ϥΪ�] �w�g��ܦb�»P�s���v�����ϥΪ̲M�椤�C
- �b [�v�Q] ���ҤW�A�Ŀ�Ū��P�j�M�v�Q���֨���C�нT�{�w�g�M����L���֨���C
- �b [�ؼ�] ���ҤW�A��@�U [������]�A�� dc=subscribers, dc=example,dc=com �=X�b�ؼХؿ����줤��ܡC
- ��@�U�u�T�w�v�C
�N�s�� ACI �[�J�� [�s���z��] ���ҦC�ܪ� ACI ���C
���v�i�g�J�s��ӤH����
�\�h�ؿ�z��Ʊ椹�\�����ϥΪ��ܧ�L�ۤv���*��ݩʡA��O�����ݩʡCexample.com ���ؿ�z��Ʊ椹�\�ϥΪ��ܧ�L�̦ۤv���K�X�B��a�q�ܸ��X�Φ�a�a�}�A�������~�������\�C�o�|�b ACI "Write example.com"�d�Ҥ��ѻ��C
example.com ���F���]���\�q���s example.com �𪬥ؿ�L�̦ۤv���ӤH��T�A�e���O�����P�ؿ�إ� SSL �s�u�C�o�|�b ACI "Write Subscribers"�d�Ҥ��ѻ��C
ACI "Write example.com"
�b LDIF ���A�Y�n���v example.com ��u�i��s��K�X�B��a�q�ܸ��X�Φ�a�a�}�A�м��g�U�C���z���G
aci:(targetattr="userPassword || homePhone ||
homePostalAddress")(version 3.0; acl "Write example.com";
allow (write) userdn="ldap:///self" and dns="*.example.com";)���d�Ұ��]�N ACI �[�J ou=People,dc=example,dc=com ���ءC
�i���U�C�@�~�A�q�D���x�]�w���v���G
- �� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� ou=People,dc=example,dc=com ���ؤW��@�U�ƹ��k��A�A��ܧ��㦡�\��? [�]�w�s���v��] �H��� [�s���z��]�C
- ��@�U [�s�W] ��� [�s���s�边]�C
- �b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Write example.com]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
- �b [�v�Q] ���ҤW�A�Ŀ�g�J�v�Q���֨���C�нT�{�w�g�M����L���֨���C
- �b [�ؼ�] ���ҤW�A��@�U [������]�A�b�ؼХؿ����줤��J ou=People,dc=example,dc=com�C�b�ݩʪ?�A�Ŀ� homePhone�BhomePostalAddress �P userPassword �ݩʪ��֨���C
3�ӲM���Ҧ���L���֨���C�Y�n��u�@��[�e��A�Ы�@�U [��������] ��s�A�K�|�M����椤�Ҧ��ݩʪ��֨���A�M���@�U [�W��] ���Y�̦r�6��ǥ[�H��´�A�A�������ݩʡC
- �b [�D��] ���ҤW�A��@�U [�[�J] ��� [�[�J�D��z�ᄍ] ��ܤ��C�b DNS �D��z�ᄍ��줤�A��J *.example.com�C��@�U [�T�w] �h�X��ܤ��C
- �b [�s���s�边] ����@�U [�T�w]�C
�N�s�� ACI �[�J�� [�s���z��] ���ҦC�ܪ� ACI ���C
ACI "Write Subscribers"
�b LDIF ���A�Y�n���v example.com �q��i��s��K�X�P��a�q�ܸ��X�A�м��g�U�C���z���G
aci:(targetattr="userPassword || homePhone")
(version 3.0; acl "Write Subscribers"; allow (write)
userdn= "ldap://self" and authmethod="ssl";)���d�Ұ��]�N aci �[�J�� ou=subscribers,dc=example, dc=com ���ءC
�Ъ`�N�Aexample.com �q�����a�a�}�S���g�J�s��A�]���L�̥i��|�R�����ݩʡA�� example.com �ݭn�o����T�~��B�z�b��C�]���A��a�a�}�O����~�ȸ�T�C
�i���U�C�@�~�A�q�D���x�]�w���v���G
- �� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�U�� [ñ�p��] ���ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���z��]�C
- ��@�U [�s�W] ��� [�s���s�边]�C
- �b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Write Subscribers]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
- �b [�v�Q] ���ҤW�A�Ŀ�n�g�J���֨���C�нT�{�w�g�M����L���֨���C
- �b [�ؼ�] ���ҤW�A��@�U [������]�A�� dc=subscribers, dc=example,dc=com �=X�b�ؼХؿ����줤��ܡC
- �p�G�Ʊ�ϥΪ̨ϥ� SSL �i�����ҡA�Ы�@�U [��ʽs��] ��s�H�t����ʽs��Ҧ��A�ñN authmethod=ssl �[�J LDIF ���z���A�Ϩ�p�U�G
(targetattr="homePostalAddress || homePhone || mail")
(version 3.0; acl "Write Subscribers"; allow (write)
(userdn= "ldap:///self") and authmethod="ssl";)�Ъ`�N�o�O�@�Ӥ3ΥH�K��Ū��s���C
- ��@�U�u�T�w�v�C
�N�s�� ACI �[�J�� [�s���z��] ���ҦC�ܪ� ACI ���C
����s��n����
�i�H�b�ؿ�ϥΨ���w�q�A�H�ѧO��~�ȡB���P�ؿ�z�Ψ�L�γ~�㦳����v�T���\��C
�Ҧp�A�z�i�H�إߤ@�� superAdmin ����A���ѧO���q���y�U�a������A��S�w��nɶ��i���ѪA�Ȫ��t�κz��l���C�Ϊ̡A�i�H�إߤ@�� First Aid ����A�]�t�S�w��W�w������ϰV�m���Ҧ��u�@�H��C�p�����إߨ���w�q����T�A�аѾ\�u���v�C
�?��|�ﭫ�n�����q�η~�ȥ\���P���S�?�ϥΪ��v���ɡA3�ӦҼ{����s��Ө���C�Ҧp�A�b example.com ���A��u�i�H�b�L�̦ۤv�����ؤ��[�J���A�� superAdmin ���Ⱓ�~�C�o�|�b ACI "Roles"�d�Ҥ��ѻ��C
ACI "Roles"
�b LDIF ���A�Y�n���v example.com ��u�i�b�L�̦ۤv�����ؤ��[�J superAdmin ����H�~�����A�м��g�U�C���z���G
aci:(targetattr="*") (targattrfilters="add=nsRoleDN:
(nsRoleDN !="cn=superAdmin, dc=example, dc=com")")
(version 3.0; acl "Roles"; allow (write)
userdn= "ldap:///self" and dns="*.example.com";)���d�Ұ��]�N ACI �[�J ou=People,dc=example, dc=com ���ءC
�i���U�C�@�~�A�q�D���x�]�w���v���G
- �� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�W��@�U�ƹ��k��A�A��ܧ��㦡�\��? [�]�w�s���v��] �H��� [�s���z��]�C
- ��@�U [�s�W] ��� [�s���s�边]�C
- �b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Roles]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
- �b [�v�Q] ���ҤW�A�Ŀ�n�g�J���֨���C�нT�{�w�g�M����L���֨���C
- �b [�D��] ���ҤW�A��@�U [�[�J] ��� [�[�J�D��z�ᄍ] ��ܤ��C�b DNS �D��z�ᄍ��줤�A��J *.example.com�C��@�U [�T�w] �h�X��ܤ��C
- �Y�n������إߥH�Ȭ���¦���z�ᄍ�A�Ы�@�U [��ʽs��] ��s�H�t����ʽs��Ҧ��C�N�U�C�[�J LDIF ���z�����}�Y�G
(targattrfilters="add=nsRoleDN:
(nsRoleDN != "cn=superAdmin, dc=example,dc=com")")LDIF ���z��3�Ӧp�U�G
(targetattr="*") (targattrfilters="add=nsRoleDN:
(nsRoleDN != "cn=superAdmin, dc=example,dc=com")")
(target = "ldap:///dc=example,dc=com")
(version 3.0; acl "Roles"; allow (write)
(userdn = "ldap:///self") and (dns="*.example.com");)- ��@�U�u�T�w�v�C
�N�s�� ACI �[�J�� [�s���z��] ���ҦC�ܪ� ACI ���C
�»P�=X���s�է���s��
�j���%ؿ�|���@�Ӹs�եΨ��ѧO�Y�Ǥ��q�\��C�o�Ǹs�եi��o�ؿ�����γ��*�����s���v�C�ǥѦb�s�դW�M�Φs���v�Q�A�z�i�H�קK���C�Ӧ���ӧO�]�w�s���v�Q�F�u�n�N�ϥΪ̥[�J�s�աA�Y�i²��a�N�o�Ǧs���v�Q�»P�ϥΪ̡C
�Ҧp�A�ϥ� [�@��w��] �B�z�Ǧw�� Directory Server �ɡA�K�|�w�]�إߤ@�ӹ�ؿ�֦�����s�� Administrators �s�աC
�b example.com ���AHuman Resources �s�եi����s��ؿ� ou=People �$�A�ϥL�̯���s��u�ؿ�C�o�|�b ACI "HR"�d�Ҥ��ѻ��C
ACI "HR"
�b LDIF ���A�Y�n�N�ؿ� employee �$䪺�����v�Q�»P HR �s�աA�ШϥΤU�C���z���G
aci:(targetattr="*") (version 3.0; acl "HR"; allow (all)
userdn= "ldap:///cn=HRgroup,ou=People,dc=example,dc=com";)���d�Ұ��]�N ACI �[�J ou=People,dc=example,dc=com ���ءC
�i���U�C�@�~�A�q�D���x�]�w���v���G
- �� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�U�� example.com-people ���ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���z��]�C
- ��@�U [�s�W] ��� [�s���s�边]�C
- �b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [HR]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
- ���ò��� [�����ϥΪ�]�A�M���@�U [�[�J]�C
��� [�[�J�ϥΪ̩M�s��] ��ܤ��C
- �N [�j�M] �ϰ�]�� [�ϥΪ̻P�s��]�A�æb [�j�M] ��줤��J [Hrgroup]�C
���d�Ұ��]�z�w�إ� HR �s�թΨ���C�p�����s�ջP���⪺�ԲӸ�T�A�аѾ\�� 5 ���u�z����M����v�C
- ��@�U [�[�J] ��s�A�N HR �s�զC�b�Q�»P�s���v�����ϥΪ̲M�椤�C
- ��@�U [�T�w] �h�X [�[�J�ϥΪ̩M�s��] ��ܤ��C
- �b [�v�Q] ���ҤW�A��@�U [����] ��s�C
���F�N�z�v�Q�~�A3�ӤĿ�Ҧ��֨���C
- ��@�U�u�T�w�v�C
�N�s�� ACI �[�J�� [�s���z��] ���ҦC�ܪ� ACI ���C
�»P�[�J�P�R���s�ն��ت��v�Q
�p�G�i�����u�@�IJv�A�μW�i���q�ʤO�A���Dz�´�|�Ʊ椹�\��u�b�𪬥ؿ�إ߶��ءC
�H example.com ���ҡA���q���@�Ӭ��D���%�e��|�A���e��|��´���X�Ӫ9ΡG��y�!B��a�!B�Ƴ��!B�t�*5��C��� example.com ��u���i�H�إߥN��s�9Ϊ��s�ն��ءC�o�|�b ACI "Create Group"�d�Ҥ��ѻ��C��� example.com ��u���i�H�����o�Ǹs�ժ�����C�o�|�b�u���\�ϥΪ̦b�s�դ��[�J�β����L�̦ۤv�U�� ACI "Group Members"�d�Ҥ��ѻ��C�u���s�վ֦��̥i�ק�ΧR���s�ն��ءC�o�|�b ACI "Delete Group"�d�Ҥ��ѻ��C
ACI "Create Group"
�b LDIF ���A�Y�n���v example.com ��u�i�b ou=Social Committee �$�U�إ߸s�ն��ءA�м��g�U�C���z���G
aci:(target="ldap:///ou=social committee,dc=example,dc=com")
(targetattr="*")(targattrfilters="add=objectClass:
(|(objectClass=groupOfNames)(objectClass=top))")
(version 3.0; acl "Create Group"; allow (read,search,add)
userdn= "ldap:///uid=*,ou=People,dc=example,dc=com")
and dns="*.example.com";)
���d�Ұ��]�N ACI �[�J�� ou=social committee, dc=example,dc=com ���ءC
�i���U�C�@�~�A�q�D���x�]�w���v���G
- �� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�U�� Social Committee ���ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���z��]�C
- ��@�U [�s�W] ��� [�s���s�边]�C
- �b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Create Group]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
- �b [�v�Q] ���ҤW�A�Ŀ�Ū��B�j�M�P�[�J���֨���C�нT�{�w�g�M����L���֨���C
- �b [�ؼ�] ���ҤW�A��@�U [������]�A�� ou=social committee, dc=example,dc=com �=X�b�ؼХؿ����줤��ܡC
- �b [�D��] ���ҤW�A��@�U [�[�J] ��� [�[�J�D��z�ᄍ] ��ܤ��C�b DNS �D��z�ᄍ��줤�A��J *.example.com�C��@�U [�T�w] �h�X��ܤ��C
- �Y�n�إߥH�Ȭ���¦���z�ᄍ�A���u�u��b���𪬤l�ؿ�[�J�s�ն��ءA�Ы�@�U [��ʽs��] ��s�H�t����ʽs��Ҧ��C�N�U�C�[�J LDIF ���z�����}�Y�G
(targattrfilters="add=objectClass:(objectClass=groupOfNames)
|(objectClass=top)")LDIF ���z��3�Ӧp�U�G
(targetattr = "*") (targattrfilters="add=objectClass:(objectClass=groupOfNames)
|(objectClass=top)") (target="ldap:///ou=social committee,dc=example,dc=com) (version 3.0; acl "Create Group";
allow (read,search,add) (userdn= "ldap:///all") and
(dns="*.example.com"); )- ��@�U�u�T�w�v�C
�N�s�� ACI �[�J�� [�s���z��] ���ҦC�ܪ� ACI ���C
ACI "Delete Group"
�b LDIF ���A�Y�n���v example.com ��u�i�ק�ΧR�� ou=Social Committee �$�U�L�̩Ҿ֦����s�ն��ءA�м��g�U�C���z���G
aci:(target="ou=social committee,dc=example,dc=com)
(targetattr = "*")
(targattrfilters="del=objectClass:(objectClass=groupOfNames)")
(version 3.0; acl "Delete Group"; allow (write,delete)
userattr="owner#GROUPDN";)���d�Ұ��]�N aci �[�J�� ou=social committee, dc=example,dc=com ���ءC
�إߦ� ACI �ɡA�ϥΥD���x�ä��O���Ĥ�k�A�]���z�N�����ϥΤ�ʽs��Ҧ��إߥؼпz�ᄍ�A���ˬd�s�վ֦��v�C
�N��s��»P�s�թΨ���
�b�\�h���p���A��z�N�ؿ�s���v���»P�s�թΨ���ɡA�z�Ʊ�T�{�o���v�����O�@�A���|��I�J�̫_�γQ���v���ϥΪ̡C�]���A�b�\�h���p���A�N���n�s���v�»P���s�թΨ��⪺�s���W�h�������a�\�h���C
�|�Ҩӻ��Aexample.com �w�����N�ު� Company333 �P Company999 ��a���q�U�إߤ@�ӥؿ�z���C���Ʊ�o�Ǥ��q���z���̦ۤv����ơA�ð�楦�̦ۤv���s���W�h�A�P�ɤS��T�O����I�J�̤z�Z�C���o�ӭ�]�ACompany333 �P Company999 ��𪬥ؿ�U�۪��$�֦������v�Q�A��ŦX�U�C���G
�o�DZ��C�b�C�a���q����@ ACI ���A�'O�O ACI "Company333" �P ACI "Company999"�C�]���o��� ACI �����e�ۦP�A�U�C�d�Ҷȸѻ� "Company333" ACI�C
ACI "Company333"
�b LDIF ���A�Y�n���v Company333 �i�b�W�z���U����s��ؿ�̦ۤv���$�A�м��g�U�C���z���G
aci:(target="ou=Company333,ou=corporate-clients,dc=example,dc=com")
(targetattr = "*") (version 3.0; acl "Company333"; allow (all)
(roledn="ldap:///cn=DirectoryAdmin,ou=Company333,
ou=corporate-clients,dc=example,dc=com") and (authmethod="ssl")
and (dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and
timeofday <= "1800") and (ip="255.255.123.234"); )���d�Ұ��]�N ACI �[�J�� ou=Company333, ou=corporate-clients,dc=example,dc=com ���ءC
�i���U�C�@�~�A�q�D���x�]�w���v���G
- �� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�U�� Company333 ���ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���z��]�C
- ��@�U [�s�W] ��� [�s���s�边]�C
- �b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Company333]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
- �b [�v�Q] ���ҤW�A��@�U [����] ��s�C
- �b [�ؼ�] ���ҤW�A��@�U [������]�A�� ou=Company333,ou=corporate-clients,dc=example,dc=com �=X�b�ؼХؿ����줤��ܡC
- �b [�D��] ���ҤW�A��@�U [�[�J] ��� [�[�J�D��z�ᄍ] ��ܤ��C�b [IP ��}�D��z�ᄍ] ��줤��J 255.255.123.234�C��@�U [�T�w] �h�X��ܤ��C
IP ��}�����O�D��q���W���Ī� IP ��}�ACompany333 �t�κz��ϥΦ���}�s�u�� example.com �ؿ�C
- �b [�ɶ�] ���ҤW�A��ܹ�3��P�d@��P�e|�H�ΤW�� 8 �I��U�� 6 �I���ɬq�C
���U��|�X�{�T���A��w�z�w���ɬq�C
- �Y�n��Ӧ� Company333 �t�κz��s�u�j���� SSL ���ҡA�Ы�@�U [��ʽs��] ��s�H�t����ʽs��Ҧ��C�N�U�C�[�J LDIF ���z�����=X�G
and (authmethod="ssl")
LDIF ���z��3����G
aci:(targetattr = "*")(target="ou=Company333,
ou=corporate-clients,dc=example,dc=com") (version 3.0; acl
"Company333"; allow (all) (roledn="ldap:///cn=DirectoryAdmin,
ou=Company333,ou=corporate-clients, dc=example,dc=com") and
(dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and
timeofday <= "1800") and (ip="255.255.123.234") and
(authmethod="ssl"); )- ��@�U�u�T�w�v�C
�N�s�� ACI �[�J�� [�s���z��] ���ҦC�ܪ� ACI ���C
�ڵ��s��
�p�G�ؿ��x�s����~�ȸ�T�A�z�i��Ʊ�S�O�a�ڵ���s��C
�Ҧp�Aexample.com �Ʊ�Ҧ��q����d�ݨ䶵�ؤU���b���T (�p�s�u�ɶ��αb��l�B)�A���T�ڵ��g�J�s��Ӹ�T�C�o�|�'O�b ACI "Billing Info Read"�P ACI "Billing Info Deny"���ѻ��C
ACI "Billing Info Read"
�b LDIF ���A�Y�n���v�q��iŪ��L�̦ۤv���ؤ����b���T�A�м��g�U�C���z���G
aci:(targetattr="connectionTime || accountBalance")
(version 3.0; acl "Billing Info Read"; allow (search,read)
userdn="ldap:///self";)���d�Ұ��]�w�g�b���c���إ߬����ݩʡA�ӥB�N ACI �[�J�� ou=subscribers,dc=example,dc=com ���ءC
�i���U�C�@�~�A�q�D���x�]�w���v���G
- �� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�Uñ�p�̶��ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���z��]�C
- ��@�U [�s�W] ��� [�s���s�边]�C
- �b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Billing Info Read]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
- �b [�v�Q] ���ҤW�A�Ŀ�j�M�PŪ���v�Q���֨���C�нT�{�w�g�M����L���֨���C
- �b [�ؼ�] ���ҤW�A��@�U [������]�A�� ou=subscribers, dc=example,dc=com �=X�b�ؼХؿ����줤��� �C�b�ݩʪ?�A�Ŀ� connectionTime �M accountBalance �ݩʪ��֨���C
3�ӲM���Ҧ���L���֨���C�Y�n��u�@��[�e��A�Ы�@�U [��������] ��s�A�K�|�M����椤�Ҧ��ݩʪ��֨���A�M���@�U [�W��] ���Y�̦r�6��ǥ[�H��´�A�A�������ݩʡC
���d�Ұ��]�z�w�g�N connectionTime �M accountBalance �ݩʥ[�J�ܵ��c�C
- ��@�U�u�T�w�v�C
�N�s�� ACI �[�J�� [�s���z��] ���ҦC�ܪ� ACI ���C
ACI "Billing Info Deny"
�b LDIF ���A�Y�n�ڵ��q��i�ק�L�̦ۤv���ؤ��b���T���v���A�м��g�U�C���z���G
aci:(targetattr="connectionTime || accountBalance")
(version 3.0; acl "Billing Info Deny";
deny (write) userdn="ldap:///self";)���d�Ұ��]�w�g�b���c���إ߬����ݩʡA�ӥB�N ACI �[�J�� ou=subscribers,dc=example,dc=com ���ءC
�i���U�C�@�~�A�q�D���x�]�w���v���G
- �� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�Uñ�p�̶��ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���z��]�C
- ��@�U [�s�W] ��� [�s���s�边]�C
- �b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Billing Info Deny]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
- �b [�v�Q] ���ҤW�A�Ŀ�n�g�J���֨���C�нT�{�w�g�M����L���֨���C
- ��@�U [��ʽs��] ��s�A�æb��ܪ� LDIF ���z�����A�N allow �ܧ� deny�C
- �b [�ؼ�] ���ҤW�A��@�U [������]�A�� ou=subscribers, dc=example,dc=com �=X�b�ؼХؿ����줤��� �C�b�ݩʪ?�A�Ŀ� connectionTime �M accountBalance �ݩʪ��֨���C
3�ӲM���Ҧ���L���֨���C�Y�n��u�@��[�e��A�Ы�@�U [��������] ��s�A�K�|�M����椤�Ҧ��ݩʪ��֨���A�M���@�U [�W��] ���Y�̦r�6��ǥ[�H��´�A�A�������ݩʡC
���d�Ұ��]�z�w�g�N connectionTime �M accountBalance �ݩʥ[�J�ܵ��c�C
- ��@�U�u�T�w�v�C
�N�s�� ACI �[�J�� [�s���z��] ���ҦC�ܪ� ACI ���C
�ϥοz�ᄍ�]�w�ؼ�
�p�G�n�]�w�s���A�H���\�s��G�ؿ�U�B���\�h���ءA�z�i��Ʊ�ϥοz�ᄍ�ӳ]�w�ؼСC�аO��A�]���j�M�z�ᄍ��������w�z�n�z�s����W�١A�ҥH�ܮe��p�ߤ��\�Ωڵ��s���~������A�ר��ؿ��ܱo�V����ɶV�M�I�C���~�A�z�ᄍ�i����z���e�����Ƹѥؿ�o�ͪ��s�����D�C
���\�ϥΪ̦b�s�դ��[�J�β����L�̦ۤv
�\�h�ؿ�|�]�w ACI�A�H���\�ϥΪ̦b�s�դ��[�J�β����L�̦ۤv�C�|�Ҩӻ��A�o��\�ϥΪ̦b�l��M�椤�[�J�β����L�̦ۤv�Ө��O�D�`���ΡC
�b example.com ���A��u�i�H�N�L�̦ۤv�[�J�� ou=social committee �𪬤l�ؿ�U�����s�ն��ؤ��C�o�|�b ACI "Group Members"�d�Ҥ��ѻ��C
ACI "Group Members"
�b LDIF ���A�Y�n���v example.com ��u�i�b�s�դ��[�J�ΧR���L�̦ۤv�A�м��g�U�C���z���G
aci:(targettattr="member")(version 3.0; acl "Group Members";
allow (selfwrite)
(userdn= "ldap:///uid=*,ou=People,dc=example,dc=com") ;)���d�Ұ��]�N ACI �[�J�� ou=social committee, dc=example,dc=com ���ءC
�i���U�C�@�~�A�q�D���x�]�w���v���G
- �� [�ؿ�] ���ҤW�A�b���s��𪬥ؿ� example.com �`�I�U�� People ���ؤW��@�U�ƹ��k��A�A��ܧ���\��?�� [�]�w�s���v��] �H��� [�s���z��]�C
- ��@�U [�s�W] ��� [�s���s�边]�C
- �b [�ϥΪ�/�s��] ���ҤW�� [ACI �W��] ��줤�A��J [Group Members]�C�Цb�»P�s���v�����ϥΪ̲M�椤�A���U�C�@�~�G
- �b [�v�Q] ���ҤW�A�Ŀ�ۼg���֨���C�нT�{�w�g�M����L���֨���C
- �b [�ؼ�] ���ҤW�A�b�ؼХؿ����줤��J dc=example,dc=com �=X�C�b�ݩʪ?�A�Ŀ� member �ݩʪ��֨���C
3�ӲM���Ҧ���L���֨���C�Y�n��u�@��[�e��A�Ы�@�U [��������] ��s�A�K�|�M����椤�Ҧ��ݩʪ��֨���A�M���@�U [�W��] ���Y�̦r�6��ǥ[�H��´�A�A�������ݩʡC
- ��@�U�u�T�w�v�C
�N�s�� ACI �[�J�� [�s���z��] ���ҦC�ܪ� ACI ���C
�w�q�t���r���� DN ���v��
�]�t�r���� DN �b�z�� LDIF ACI ���z�����ݭn�S�O�B�z�C�b ACI ���z�����ؼлP�s���W�h���$��A�r�������H�@�Ӥϱu (\) �������C�U�C�d�Ҹѻ����y�k�G
dn:o=example.com Bolivia\, S.A.
objectClass:top
objectClass:organization
aci:(target="ldap:///o=example.com Bolivia\,S.A.")
(targetattr="*") (version 3.0; acl "aci 2"; allow (all)
groupdn = "ldap:///cn=Directory Administrators,
o=example.com Bolivia\, S.A.";)�N�z���� ACI �d��
�N�z���Ҥ�k�O�@�دS��Φ������ҡG�ϥΦۤv������s����ؿ�ϥΪ̷|�z�L�N�z������o��L�ϥΪ̪��v�Q�C
���d�Ұ��]�G
���F��Τ��3�ε{�����s�� Accounting �𪬤l�ؿ� (�ϥλP Accounting �z��ۦP���s���v��)�G
- Accounting �z���� ou=Accounting,dc=example,dc=com �𪬤l�ؿ�֦��s���v���C�Ҧp�A�U�C ACI �|�N�Ҧ��v�Q�»P Accounting �z��ءG
aci:(target="ldap:///ou=Accounting,dc=example,dc=com")
(targetattr="*") (version 3.0; acl "allowAll-AcctAdmin"; allow
(all) userdn="ldap:///dn:uid=AcctAdministrator,ou=Administrators,
dc=example,dc=com";)- �ؿ�����U�C�N�N�z�v�Q�»P�Τ��3�ε{���� ACI�G
aci:(target="ldap:///ou=Accounting,dc=example,dc=com")
(targetattr="*") (version 3.0; acl "allowproxy-
accountingsoftware"; allow (proxy) userdn=
"ldap:///dn:uid=MoneyWizAcctSoftware,ou=Applications,
dc=example,dc=com";)�]�w�� ACI ��AMoneyWizAcctSoftware �Τ��3�ε{���i�s����ؿ�A�öǰe ldapsearch �� ldapmodify �o�@���ݭn�N�z DN ���s���v�Q�� LDAP ��O�C
�b�H�W�d�Ҥ��A�p�G�Τ�ݧƱ��� ldapsearch ��O�A�ӫ�O�|�]�t�U�C����G
ldapsearch \
-D "uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com" \
-w password\
-y "uid=AcctAdministrator,ou=Administrators,dc=example,dc=com"\ ...�Ъ`�N�A�Τ�ݥH�����s���A����o�N�z���ت��v���C�Τ�ݤ��ݭn�N�z���ت��K�X�C
�Ƶ�
�z����ϥΥؿ�z�� DN �����N�z DN�A�]����N�N�z�v�Q�»P�ؿ�z��C���Ȧp���A�p�G Directory Server �b�P�@�ӳs���@�~������h�ӥN�z���ұ���A�K�|�Ǧ^��~���Τ��3�ε{���A�ӥB�s���xդ��|���\�C
�˵���v�Q���@�ؿ�ت��s���ɡA�Y���D�z�w�q�� ACI ��w���ʦ���v�T�O���Ϊ��CDirectory Server �i��z���{�� ACI�A�æ^��b��w���ؤW�»P��w�ϥΪ̪������v�Q�C
Directory Server �^3�i��]�t�b�j�M�@�~�� [��o�����v�Q] ����C��������^3�O�b�j�M���G���Ǧ^����ػP�ݩʪ������v�Q��T�C�o���B�~����T�]�A�C�Ӷ��ةM�C�Ӷ��ؤ��C���ݩʪ��g�J�v���C�t�κz��i�n�D�j�M�ҥγs�� DN �Υ�N DN ���v���A��t�κz�����եؿ�ϥΪ̪��v���C
�p��
�˵���v�Q�����O�ؿ�@�~�A3�Ө��O�@�ð��A�?����C�Ь� aclRights �P aclRightsInfo �ݩʫإ߶i�@�B�� ACI�A�H����ؿ�ϥΪ̹�o����T���s��C
�����v�Q�\��ݭn�̾a LDAP ����C�Y�n�˵��챵�=X�������v�Q�A�z�����b�챵�������ҥΦ�����A�p�u�t�m�챵�����v���ҭz�C�z�]�����T�O�Ψӳs�����ݦ�A�����N�z����]���\�s����v�Q�ݩʡC
�ϥΨ�o�����v�Q���
�ϥ� ldapsearch ��O�P -J "1.3.6.1.4.1.42.2.27.9.5.2" �ﶵ�H��w [��o�����v�Q] ����C�̹w�]�ȡA����N�b�j�M���G���Ǧ^���ػP�ݩʤW�s�� DN ���ت������v�Q�C�ШϥΤU�C�ﶵ�ܧ�w�]���欰�G
�Y�ϥ� -c �P -X �ݩʤ���@���A�ΦP�ɨϥΨ�̮ɡA�h�t�� [��o�����v�Q] ����� OID �㦳 -J �ﶵ�A�]�����ݭn��w�C�p�G�z��w�����v�Q����� NULL �ȡA�h�^��ثe�ϥΪ̪��v���M�H�ثe ldapsearch �ާ@�Ǧ^���ݩʻP���ت��v���C
���۱z������ܭn�˵��T�����A�i��O²���v�Q�A�άO���&p��»P�Ωڵ��o���v�Q���ԲӰO���T�C��T�������'O�ѥ[�J aclRights �� aclRightsInfo �ӨM�w�A�@���j�M���G���Ǧ^���ݩʡC�i�H�n�D����ݩʳ�������������v�Q��T�A��M²���v�Q����T�|�b�ԲӰO���T��������ܡC
�����v�Q�\���~�Ө�L�ѼơA�ӳo�ǰѼƷ|�v�T�Ӧ۱Ұʷj�M�@�~���ϥΪ̤��s��� (�Ҧp���Ҥ�k�B���}�M�W��)�C
�U�C�d�ҥܽd�ϥΪ̦p���˵�L�b�ؿ��v�Q�C�b���G���A1 ��ܱ»P�v���A0 ��ܩڵ��v���G
ldapsearch -J "1.3.6.1.4.1.42.2.27.9.5.2" \
-h rousseau.example.com -p 389 \
-D "uid=cfuente,ou=People,dc=example,dc=com" \
-w password -b "dc=example,dc=com" \
"(objectclass=*)" aclRightsdn:dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0dn:ou=Groups, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0dn:ou=People, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0dn:cn=Accounting Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0dn:cn=HR Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0dn:uid=bjensen,ou=People, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0dn:uid=cfuente, ou=People, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:1,proxy:0�����G�i�D Carla Fuente�A�o�b�ؿ�ܤ־֦�Ū��s���ءA�H�Φo�i�H�ק�o�ۤv�����ءC�����v�Q������|��L���`���s���v���A�ҥH�ϥΪ̵����|�ݨ�L�S��Ū���v�������ءC�b�U�C�d�Ҥ��A�ؿ�z��i�H�ݨ� Carla Fuente �S��Ū���v�������ءG
ldapsearch -h rousseau.example.com -p 389 \
-D "cn=Directory Manager" -w password \
-c "dn:uid=cfuente,ou=People,dc=example,dc=com" \
-b "dc=example,dc=com" \
"(objectclass=*)" aclRightsdn:dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0dn:ou=Groups, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0dn:cn=Directory Administrators, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:0,write:0,proxy:0dn:ou=Special Users,dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:0,write:0,proxy:0dn:ou=People, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0dn:cn=Accounting Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0dn:cn=HR Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0dn:uid=bjensen,ou=People, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0dn:uid=cfuente, ou=People, dc=example,dc=com
aclRights;entryLevel:add:0,delete:0,read:1,write:1,proxy:0�b�H�W��X���A�ؿ�z��i�H�ݨ� Carla Fuente �J�L�k�˵�S�?�ϥΪ̡A�]�L�k�˵�𪬥ؿ�ؿ�z��$�C�b�H�U�d�Ҥ��A�ؿ�z��i�H�ݨ� Carla Fuente �L�k�ק�o�ۤv���ؤ��� mail �P manager �ݩʡG
ldapsearch -h rousseau.example.com -p 389 \
-D "cn=Directory Manager" -w password \
-c "dn:uid=cfuente,ou=People,dc=example,dc=com" \
-b "dc=example,dc=com" \
"(uid=cfuente)" aclRights "*"version: 1
dn:uid=cfuente, ou=People, dc=example,dc=comaclRights;attributeLevel;mail:search:1,read:1,compare:1,
write:0,selfwrite_add:0,selfwrite_delete:0,proxy:0
mail:cfuente@example.comaclRights;attributeLevel;uid:search:1,read:1,compare:1,
write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
uid:cfuenteaclRights;attributeLevel;givenName:search:1,read:1,compare:1,
write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
givenName:CarlaaclRights;attributeLevel;sn:search:1,read:1,compare:1,
write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
sn:FuenteaclRights;attributeLevel;cn:search:1,read:1,compare:1,
write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
cn:Carla FuenteaclRights;attributeLevel;userPassword:search:0,read:0,
compare:0,write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
userPassword: {SSHA}wnbWHIq2HPiY/5ECwe6MWBGx2KMiZ8JmjF80Ow==aclRights;attributeLevel;manager:search:1,read:1,compare:1,
write:0,selfwrite_add:0,selfwrite_delete:0,proxy:0
manager:uid=bjensen,ou=People,dc=example,dc=comaclRights;attributeLevel;telephoneNumber:search:1,read:1,compare:1,
write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
telephoneNumber: (234) 555-7898aclRights;attributeLevel;objectClass:search:1,read:1,compare:1,
write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
objectClass:top
objectClass:person
objectClass:organizationalPerson
objectClass:inetorgpersonaclRights;entryLevel:add:0,delete:0,read:1,write:0,proxy:0
�F�Ѧ����v�Q���G
�����v�Q�n�D�̫�w���ﶵ�Ǧ^�U�C��T�G
�v�Q��T
�̤U�C���l�������Ѧ����v����T�G
aclRights;entrylevel
���Ѷ��ؼh���v����T
aclRights;attributelevel
�����ݩʼh���v����T
aclRightsInfo;entrylevel
���Ѷ��ؼh�ŰO���T
aclRightsInfo;attributelevel
�����ݩʼh�ŰO���T
aclRights �r�ꪺ�榡�O�Gpermission:value(permission:value)*
�i����ؼh���v���O add�Bdelete�Bread�Bwrite �M proxy�C�i��ݩʼh���v���O read�Bsearch�Bcompare�Bwrite�Bselfwrite_add�Bselfwrite_delete �M proxy�C
�o���v�����ȥi��O�U�C�䤤�@�ӡG
Write�BSelfwrite_add �M Selfwrite_delete �v��
�b Directory Server 5.2 ���u���g�ݩʼh���v�����u?�v�ȡC���[�J�M�R���v���A�z�i�H�[�J�ΧR�������ص�ؤ����ݩʭȦөw�C�b���ؤW�Ǧ^�v�� (0 �� 1)�A�]�����̬O�H ldapsearch �@�~�Ǧ^�A�Ӥ��O�Ǧ^�u?�v�C
�p�G write �v�����ȬO 1�A�h�»P�[�J�M�R���Ҧ��� (���v dn �Ȱ��~) �� ldapmodify �@�~���v���C�g�J�v�����ȬO 0�A��ܥ��»P�[�J�ΧR������ (���v dn �Ȱ��~) �� ldapmodify �@�~���v���C�b�䤤�@�� selfwrite �v�����A��T�a�Ǧ^���v dn �Ȫ������v���A�]�N�O selfwrite_add �� selfwrite_delete�C
��M selfwrite-add �M selfwrite-delete �ݩʼh�Ť��s�b ACI ��Ҥ��A�@�� ACI �i�H�»P�ϥΪ̭ק�ާ@���u�[�J���u �R������ selfwrite �v���C�N selfwrite �v���Ө��A���b�ק襤���ݩʭȬO���v dn�Cwrite �S���P�˪��t���A�]���|���w�q���F�g�J�v���ҭק諸�ݩʭȡC
�����v����M�� targattrfilters ACI �ɡA�u?�v�Ȫ�ܦp�ݦ����v�����ԲӸ�ơA�аѾ\�O���T�C�ھ� write�Bselfwrite_add �M selfwrite_delete �v���������۹����̩ʡA�� 6-3 ����o�T�ӥi���v�����զX�Ҫ�ܪ��N�q�C
�O���T
�����v�Q�O���T�i��z�F�ѩM����s���x��C�O���T�]�t�٬� acl_summary ���s���K�n�n��A��ܤw���\�Ωڵ��s����]�C�s���K�n�n��]�t�U�C��T�G
- �O�_���\�Ωڵ��s��
- �ұ»P���v��
- �v�����ؼж���
- �ؼ��ݩʪ��W��
- �ҭn�D���v�Q�D��
- �O�_�ѥN�z�v�i��n�D�A�p�G�O�h���N�z���� DN�C
- ���\�Ωڵ��s���] (�ﰻ��γ~�ܭ��n)�C�i���]�C�b�� 6-4 ���G
�p�ݺ�T����x�ɮ榡�A�аѾ\�mDirectory Server Administration Reference�n�C
�i�����s���G�ϥΥ��� ACI�b�ϥέ��ƾ𪬥ؿ�c����´���A�ϥΥ����i�H�̨Τƥؿ�ҥΪ� ACI �ƥءC��־𪬥ؿ� ACI �ƥءA�i��z��e��z�z���s�����A�çﵽ ACI ���O����ϥήIJv�C
�����O�b ACI ���ΨӥN�� DN �γ��� DN ���w�d��m�C�z�i�H�ϥΥ����b ACI ���ؼг��)γs���W�h���� (�Ψ��) ���N�� DN�C�ƹ�W�A�� Directory Server ����ǤJ�� LDAP �@�~�ɡA�K�|��� ACI �����P LDAP �@�~���ؼи귽�A�H�M�w��3�l�r�� (�Y��)�C�p�G��ﵲ�G�۲šA�N�ϥι�3���l�r��i�}�s���W�h�ݪ������A�õ��i�}���s���W�h�A�ӨM�w�귽���s���v���C
���� ACI �d��
���� ACI ���u�I�Ψ�B�@�覡�i�H�νd�Ұ��̲M��������C�� 6-4 ��ܤ@�Ӿ𪬥ؿ�A�b���𪬥ؿ�Ī��ϥΥ��� ACI ��־��� ACI �ƥءC
�Ъ`�N�Ϥ��ۦP�𪬥ؿ�c (ou=groups,ou=people) ���l���@�A�e�{���ƪ��Ҧ��C���Ҧ��]�b��Ӿ𪬥ؿ�@�A���ơA�]�� example.com �𪬥ؿ��x�s�U�C�=X�Gdc=hostedCompany2,dc=example,dc=com �M dc=hostedCompany3,dc=example,dc=com�C
�M�Φb�𪬥ؿ� ACI �]�����ƪ��Ҧ��C�Ҧp�A�U�C ACI ��� dc=hostedCompany1,dc=example,dc=com �`�I�W�G
aci:(targetattr="*")
(targetfilter=(objectClass=nsManagedDomain))(version 3.0;
acl "Domain access"; allow (read,search) groupdn=
"ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,
dc=example,dc=com";)�� ACI �N DomainAdmins �s�ժ�Ū��P�j�M�v�Q�»P dc=hostedCompany1,dc=example,dc=com �𪬥ؿ��ءC
�� 6-4 ���� ACI ���𪬥ؿ�d��
�U�C ACI ��� dc=hostedCompany1,dc=example,dc=com �`�I�W�G
aci:(targetattr="*")
(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,
dc=example,dc=com";)�U�C ACI ��� dc=subdomain1,dc=hostedCompany1, dc=example,dc=com �`�I�W�G
aci:(targetattr="*")
(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1,
dc=hostedCompany1,dc=example,dc=com";)�U�C ACI ��� dc=hostedCompany2,dc=example,dc=com �`�I�W�G
aci:(targetattr="*")
(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2,
dc=example,dc=com";)�U�C ACI ��� dc=subdomain1,dc=hostedCompany2, dc=example,dc=com �`�I�W�G
aci:(targetattr="*")
(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,
dc=hostedCompany2,dc=example,dc=com";)�b�H�W��ܪ��|�� ACI ���A�ߤ@���t�O�O groupdn ����r����w�� DN�C�ǥѨϥΥ����N�� DN�A�K�i�H�b dc=example,dc=com �`�I�W�A�ξ𪬥ؿ�ڳ����@�� ACI ��N�o�� ACI�C�� ACI ��ܦp�U�G
aci:(target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search) groupdn=
"ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)�Ъ`�N�A���B�����i��e���ϥιL�� target ����r�C
�b�H�W�d�Ҥ��AACI ���ƥرq�|�Ӵ�֨�@�ӡA���ڪ��u�I��M���Ӿ𪬥ؿ�ƼҦ����h��C
���� ACI �y�k
��²�ƥ��`�����Q�סA�ΨӴ��ѳs�����Ҫ� ACI ����r (�p userdn�Broledn�Bgroupdn �P userattr) �X�_�Ӻ٬� ACI ���D���C�D��M�w ACI ���M�ι�H�C
���� ACI �]�t�U�C�B�⦡�����A�H��N DN �γ��� DN�G
�� 6-5 ��� ACI ���i�ϥ� DN ���������!G
�A�ΤU�C����G
�ؼФ� ($dn) ����3
ACI �ؼФ��� ($dn) �����Q�Τ�� LDAP �n�D���ؼж��بӨM�w�%N�ȡC�Ҧp�A���@�� LDAP �n�D���ؼЬ� cn=all,ou=groups,dc=subdomain1, dc=hostedCompany1,dc=example,dc=com ���ءA�өw�q�ؼЪ� ACI �p�U�G
(target="ldap:///ou=Groups,($dn),dc=example,dc=com")
($dn) �����|��3�� "dc=subdomain1, dc=hostedCompany1"�C�M��ϥγo�Ӥl�r��%N ACI ���D��C
�%N�D�餤�� ($dn)
�b ACI ���D�餤�A($dn) �����|�Q�ؼФ��۲Ū�����l�r���N�C�Ҧp�G
groupdn="ldap:///cn=DomainAdmins,ou=Groups,($dn),
dc=example,dc=com"�ܬ��G
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1,
dc=hostedCompany1,dc=example,dc=com"�@���i�}������ADirectory Server �|�̷ӥ��`�{�ǵ�� ACI�A�P�_�O�_�»P�s���v�C
�Ƶ�
�ϥΥ����%N�� ACI �P�з� ACI ���P�A�e�̤��@�w�|���ؼж��ت��l���»P�s���v���C�o�O�]���A��l���� DN �O�ؼЮɡA�%N�����G�i�ण�|�b�D��r�ꤤ�إߦ��Ī� DN�C
�%N�D�餤�� [$dn]
[$dn] ���%N���P ($dn) �y�����P�C�ؼи귽�� DN �|����Ʀ��A�C���|���̥��䪺 RDN ����A������۲Ŷ�����C
�Ҧp�A���@�� LDAP �n�D���ؼЬO cn=all,ou=groups, dc=subdomain1,dc=hostedCompany1,dc=example,dc=com �𪬤l�ؿ�A�٦��U�C ACI�G
aci:(targetattr="*")
(target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],
dc=example,dc=com";)��A���̤U�C�覡�B�z�A�H�i�}�� ACI�G
- �ؼФ��� ($dn) �ŦX dc=subdomain1,dc=hostedCompany1�C
- �N�D�餤�� [$dn] �H dc=subdomain1,dc=hostedCompany1 ��N�C
���ͪ��D��O groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,dc=hostedCompany1,dc=example,dc=com"�C�p�G�]���s�� DN �O�Ӹs�ժ��������o�v���A�����i�}�N�|����A�i���� ACI�C�p�G���O����A�B�z�N�|�~��C
- �N�D�餤�� [$dn] �H dc=hostedCompany1 ��N�C
���ͪ��D��O groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=hostedCompany1,dc=example,dc=com"�C�P�˦a�A��ճs�� DN �O�_�����s�ժ�����A�p�G�O�A�N������ ACI�C�p�G���O����A�����i�}�b�̫�@�Ӭ۲ŭȪ� RDN �B����A�åB�� ACI �� ACI ���ܦ������C
[$dn] �������u�I�b�H�u�ʪ��覡���v���h�Ū��t�κz��i�s��𪬥ؿ������l���C�]���A�b��ܺ�줧�������h��Y�ɬ۷?�ΡC
�Ҧp�A�ЦҼ{�U�C ACI�G
aci:(target="ldap:///ou=*,($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search) groupdn=
"ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";}���»P cn=DomainAdmins,ou=Groups, dc=hostedCompany1,dc=example,dc=com ������� dc=hostedCompany1 �U���Ҧ��l��쪺�s���v���A�ϱo�ݩ�Ӹs�ժ��t�κz����s�� ou=people,dc=subdomain1.1,dc=subdomain1 �𪬤l�ؿ�C
��P�ɡAcn=DomainAdmins,ou=Groups, dc=subdomain1.1 ������|�D��ڵ��s�� ou=people,dc=subdomain1, dc=hostedCompany1 �M ou=people,dc=hostedCompany1 �`�I�C
($attr.attrName) ��������3
($attr.attrname) �����`�O�Φb DN ���D�鳡�!C�Ҧp�A�i�H�w�q�U�C roledn�G
roledn = "ldap:///cn=DomainAdmins,($attr.ou),dc=HostedCompany1,
dc=example,dc=com"���]�{�b��A������H�U�C���ج��ؼЪ� LDAP �@�~�G
dn: cn=Babs Jensen,ou=People,dc=HostedCompany1,dc=example,dc=com
cn:Babs Jensen
sn:Jensen
ou:Sales
...���F��� ACI �� roledn ���!A��A��Ū���x�s�b�ؼж��ؤ��� ou �ݩʭȡA�ñN�b�D�餤�����ȴ%N�H�i�}�����C�b�d�Ҥ��Aroledn �i�}�p�U�G
roledn = "ldap:///cn=DomainAdmins,ou=Sales,dc=HostedCompany1,
dc=example,dc=com"���U�ӡADirectory Server �|�ھڥ��`�� ACI ���t��k��� ACI�C
�?������w���ݩʬO�h�����ݩʮɡA�h�|�̧ǨϥΨC�ӭȨӮi�}�����A�èϥβĤ@�ӹ�3���\���ȡC
�s���P�ƻsACI �x�s�����ت��ݩʡA�]���A�p�G�]�t ACI �����جO�ƻs�=X���@���!A�h ACI �|�P��L����ݩʤ@�˳Q�ƻs�C
ACI �`�O�b�A�ȶǤJ LDAP �n�D���ؿ��A���W���C�o��ܷ��Ϊ̦�A�������s�n�D�ɡA���|�Ǧ^�D���A�����ѷӡA�M��A����_�b�D��W�A�ȸӭn�D�C
�s���M�챵�p�G�ϥ��챵�N�𪬥ؿ�4��b�X����A���W�A�h�s���z�����ҨϥΪ�����r�|���@�ǭ���G�p�ݸԲӸ�T�A�аѾ\�uACI ����v�C
�����ҨϥΪ̦s���챵�=X�ɡA��A���|�ǰe�ϥΪ̪�������ݦ�A���C�s����`�O�b���ݦ�A���W���C�b���ݦ�A���W���C�@�� LDAP �@�~���ϥΥΤ��3�ε{����l����A������O�z�L�N�z���ұ���Ҷǰe�C�u����ϥΪ̹ﻷ�ݦ�A���W�]�t���𪬤l�ؿ�֦����T���s���ɡA�b���ݦ�A���W���@�~�~�|���\�C�o��ܡA�z�����N�@�몺�s���[�J�컷�ݦ�A���W�A�å[�W�@�ǭ���G�p�ݸԲӸ�T�A�аѾ\�u�z�L�챵�=X���s���v�C
�O��s����T�Y�n��o��~��x�ɤ�����s����T�A�����]�w�A�?�O��h�šC
�Y�n�q�D���x�]�w��~��x�ɼh�šG
- �b Directory Server Console �̤W�h�� [�ؿ�] ���ҤW�A�H�ƹ��k���@�U cn=config �`�I�A�æb����\��?��� [�H�зǽs�边�s��]�C
�o�|�b [�зǽs�边] �W��ܥX cn=config ���ت����e�C
- �N�ݩʭȰt��M��V�U���ʡA�H��� nsslapd-errorlog-level �ݩʡC
- �N nsslapd-errorlog-level ��줤�w��ܪ��ȦA�[�W 128�C
�Ҧp�A�p�G�w��ܪ��Ȭ� 8192 (�ƻs����)�A�z3�ӱN���ܧ� 8320�C�p������~��x�ɼh�Ū������T�A�аѾ\�mDirectory Server Administration Reference�n�C
- ��@�U [�T�w] �x�s�ܧ�A�ðh�X�зǽs�边�C
�P�ª����ۮe�������ª� Directory Server �ҥΪ� ACI ����r�b Directory Server 5.2 ���w���A�ϥΡC��F��P�ª��ۮe�ʡA�ҥH���M�䴩�o������r�C�o������r�O�G
�]���A�p�G�z���b�¨�3�Ӧ�A���P��Ϊ� Directory Server 5.2 �����w�]�w�ƻs��ij�A3�Ӥ��|�b ACI ���ƻs���J������D�C
���ij�z�̦n�� userattr ����r���\���N�o������r�A�p�u�ھڬ۲ŭȩw�q�s��v���ҭz�C