6�� ׼�� f��

��丮 ��뿡 �� ׼�� f��ϴ� ��: ��丮 ��ȿ� �־� �ٽ�� κ��Դϴ�. �� 忡�� 丮�� ׼��ϴ� ��ڿ�� ο�� ; ��d�ϴ� �׼�� f�� (ACI)�� մϴ�. Directory Server�� d�� ׸� �� Ưd �� /ȿ ��; �� ִ� ��; f��մϴ�. �� ; ��ϸ� ��ϸ鼭�� ׼�� f�� ; ��ϰ� �� ֽ4ϴ�.

��ü �� då; f��ϴ� �׼�� f�� : ��丮 �� ȹ �ܰ迡�� d��ؾ� �մϴ�. �׼�� f�� ȹ�� : Directory Server Deployment Planning Guide�� v�Ͻʽÿ�.

�׼�� f�� Ģ

�׼�� d��ϴ� ��; �׼�� f���� մϴ�. ��û�� ŵǸ� �� ε� �۾� �� ڰ� f�� d�� d�ǵ� �׼�� f�� (ACI); ��Ͽ� ��丮 d�� ׼�� ϰų� �ź��մϴ�. �� б�, ��, �˻� �Ǵ� �� ; ��ϰų� �ź�� ֽ4ϴ�. ��ڿ�� ο��Ǵ� �� : f�� d�� ޶��ϴ�.

�׼�� f� ��ϸ� ��ü ��丮, ��丮�� ' Ʈ��, ��丮�� Ưd �׸�(�� ۾�; d��ϴ� �׸� ��), �׸� �Ӽ�� Ưd �� Ǵ� Ưd �׸� �Ӽ� �� ׼�� f�� ֽ4ϴ�. Ưd ��, Ưd �׷��̳� ��ҿ� �� Ǵ� ��丮�� ִ� �� ; ��d�� ֽ4ϴ�. ��8�� IP �ּҳ� DNS �̸�8�� ĺ�� Ưd Ŭ��̾�Ʈ�� ؼ�� ׼�� d�� ֽ4ϴ�.

ACI ��v

�׼�� f�� : �׸� �Ӽ�8�� 丮�� ˴ϴ�. aci �Ӽ�: �۵� �� Ӽ�8��, �׸�� ü Ŭ�� d�ǵǾ� �� ʾƵ� ��丮�� ׸񿡼� �� ֽ4ϴ�. Ŭ��̾�Ʈ�κ�� LDAP ��û�� ŵǸ� Directory Server�� Ӽ�; ��Ͽ� �ο��ϰų� �ź�� ; ��մϴ�. Ư�� û�� ; �� aci �Ӽ�: ldapsearch �۾�8�� ȯ�˴ϴ�.

ACI�� κа� ��ε� ��Ģ �κ�: �� 8�� d�Ǹ� �׼�� f�� Ģ(ACR)�̶�? �մϴ�. �� ׼�� : �ش� ��Ģ�� ο��ǰų� �źε˴ϴ�. �ڼ�� : ACI ��; ��v�Ͻʽÿ�.

ACI ��ġ

ACI�� Ե� �׸� �ڽ� �׸�� 8�� ش� �׸񿡸� ACI�� ˴ϴ�. �׸� �ڽ� �׸�� 8�� ش� �׸� �� ' �׸� ACI�� ˴ϴ�. �� ׸� �� ׼�� ; �� û�� ׸�� Ʈ b�̾�� ⺻ �׸� ��̿� �ִ� �� ׸� �� ACI�� Ȯ��մϴ�.

aci �Ӽ�: �� ; ��Ƿ� �� ׸� �Ǵ� ��' Ʈ�� ACI�� d�� ֽ4ϴ�.

�ش� �׸� ��b �� ' Ʈ�� Ϻ� �Ǵ� �� ׸� ��Ǵ� ACI�� ׸� �ۼ�� ֽ4ϴ�. �� , ��f�� 丮 Ʈ�� ' ��ؿ� �ִ� �׸� ��Ǵ� �Ϲ� ACI�� 丮 Ʈ�� ' ��ؿ� ��ġ�� ִٴ� ��a�� ֽ4ϴ�. �� , organizationalUnit �׸��̳� locality �׸� ��ؿ�� inetorgperson ��ü Ŭ�� ִ� �׸�; ��8�� ϴ� ACI�� ۼ�� ֽ4ϴ�.

�� ; ��ϸ� ��' �� б�a�� Ϲ� ��Ģ; ��ġ�Ͽ� ��丮 Ʈ�� ACI �� ּ�ȭ�� ֽ4ϴ�. Ưd ��Ģ�� '�� f��Ϸx� �ִ�� ׸� ��̿� ��Ģ; ��ġ�ؾ� �մϴ�.

ACI ��

�� Ưd �׸� �� ׼�� ; ��ϱ� '�� ׸� ��Ʈ b�̾�� ⺻ �׸� �̸�� ׸� ��ü �� θ� �׸� �ִ� ACI ��; �ۼ��մϴ�. �� ߿� �� ACI�� ó��մϴ�. ACI�� ׸�� Ʈ b�̾�� ⺻ �׸� ��̿� �ִ� �� b�̾� �� ' b�̾�� 򰡵�� ٸ� �� ִ� �� b�̾�� 򰡵�� ʽ4ϴ�.


��	DN""; �� Ʈ DSE �׸� ��ġ�� ACI�� ش� �׸񿡸� ��˴ϴ�.


��	��丮 ��ڴ� �׼�� f� �� ʴ� ��; �� /�� Դϴ�. Ŭ��̾�Ʈ�� 丮 ��ڷ� ��丮�� ε��ϸ� �� ۾� �� ACI�� ʽ4ϴ�. �� 丮 ��ڷ� LDAP �۾�; ��ϸ� �ٸ� ��ڿ� �� ξ� ��ϱ� �� ׻� �Ϲ� �� ̵�� 丮 ��; �׽�Ʈ�ؾ� �մϴ�.

�׸� ��Ǵ� ACI�� 8�� ⺻��8�� 丮 ��ڸ� f�� ׼�� źε˴ϴ�. ��ڰ� �� ׸� �׼��Ϸx� ACI�� 8�� ׼�� ; �ο��ؾ� �մϴ�. �⺻ ACI�� ͸� �б� �׼�� d��ϸ� ��ڰ� ��ȿ� �ʿ�� Ӽ�; f�� ڽ�� ׸�; ��d�� ֵ�� մϴ�. �ڼ�� : �⺻ ACI�� v�Ͻʽÿ�.

�� ׸� ��̿� �ִ� ACI�� ó�� ׸� ��Ǵ� �� ACI�� ˴ϴ�. Ưd ACI�� ׼�� ź�� 8�� ACI�� ο�� ׼�� ˴ϴ�. �� ְ� �� ڿ� �� ׼�� ϴ� ACI�� ׼�� ź��ϴ� ACI�� 켱��8�� ˴ϴ�.

�� , ��丮�� Ʈ ��ؿ�� ; �ź��ϸ� ��ڴ� �ڽſ�� ο�� Ưd ��ѿ� �� 丮�� 4ϴ�. Ưd ��ڿ�� 丮�� ; �ο��Ϸx� �� ڰ� ��Ե�� ʵ�� ѿ� �� x �ź� ��'�� f��ؾ� �մϴ�.

ACI f��

��丮 ��񽺿� �� ׼�� f�� då; �ۼ��ϴ� �� =�� : f�ѿ� ��ؾ� �մϴ�.

�⺻ ACI

Directory Server�� ġ�ϸ� �� ߿� ��d�� Ʈ b�̾ ��=�� : �⺻ ACI�� d�ǵ˴ϴ�.

��丮�� Ʈ b�̾ �ۼ��ϸ� �ش� �⺻ �׸񿡴� '�� ŵ� �⺻ ACI(��ü ��d ACI f��)�� Ե˴ϴ�. ��; ��ȭ�Ϸx� �ֿܼ�� Ʈ b�̾� �ۼ�� ó�� ACI�� ߰��ؾ� �մϴ�.

��= �� ̷�� ⺻ ��d; v�� 䱸�� °� ��d�ϴ� �� մϴ�.

ACI ��

ACI�� پ�� v�� ̷��n �ֽ4ϴ�. �ܼ� �Ǵ� ��ٿ�� ACI�� ۼ��ϰ� ��d�ϴ� �� LDIF �� ACI ��; ��Ȯ�� ؾ� �մϴ�. ACI �� ؼ�� = �� ڼ�� մϴ�.


��	ACI�� ſ� ��ϱ� �� Directory Server �ֿܼ�� ACI�� ð��8�� 4ϴ�. �� ټ�� 丮 �׸� �� ׼�� f� ��d�ϴ� �� ; ��ϴ� �� ξ� ��ϴ�. �� ACI ��; ��Ȯ�� ؾ߸� ȿ�� ׼�� f� ��d�� 丮�� ۼ�� ֽ4ϴ�.

target: �׼�� f�� ׸�, �Ӽ� �Ǵ� �׸�� Ӽ� ��; ��d�մϴ�. ��/ �̸��̳� �ϳ� �̻�� Ӽ�, �Ǵ� �� LDAP ��͸� ��8�� d�� ֽ4ϴ�. ��: �� 8��, ��; ��d�� 8�� ACI�� d�ǵ� ��ü �׸�� ڽ� �׸� �ش� ACI�� ˴ϴ�.

version 3.0: ACI ��; �ĺ��ϴ� �ʼ� ��ڿ��Դϴ�.

name: ACI�� ̸��Դϴ�. ACI�� ĺ��ϴ� �� ڿ�: �̸�� ֽ4ϴ�. ACI �̸�: �ʼ��̸� ACI�� ϴ� �̸��̾�� մϴ�.



��	�̸�� f��: �� ACI�� / �̸�; ��ϴ� �� }4ϴ�. ��/ �̸�; ��d�ϸ� "/ȿ �� " ��Ʈ��; ��Ͽ� �� ACI�� Ȯ�� ֽ4ϴ�.

permission: �� Ǵ� �źεǴ� ��(��: �б� ��̳� �˻� ��); ��ü��8�� մϴ�.

bindRules�� ׼�� ; �ο� �ޱ� '�� ڰ� f��ؾ� �ϴ� �ڰ� �� ε� �Ű� �� d�մϴ�. ��ε� ��Ģ: ��ڳ� �׷� �� ڰ� �Ǵ� Ŭ��̾�Ʈ�� d�� 8�� ֽ4ϴ�.

�� ε� ��Ģ ��; ��d�� 8�Ƿ� ��8�� d�Ǵ� �׸�� Ӽ�; �� üȭ�Ͽ� ��d�� پ�� ׼�� f� ȿ2��8�� d�� ֽ4ϴ�. �� =�� 4ϴ�.

aci: (target)...(target)(version 3.0;acl "name"; permission bindRule;
permission bindRule; ...; permission bindRule;)

aci: (target="ldap:///uid=bjensen,dc=example,dc=com"
(targetattr="*")(version 3.0; acl "example"; allow (write)
userdn="ldap:///self";)

�� ACI�� bjensen�� ڽ�� 丮 �׸� �ִ� �� Ӽ�; ��d�� ִ� �� =; ��Ÿ�4ϴ�.

�� d��

��: ACI�� Ǵ�� ĺ��մϴ�. Ŭ��̾�Ʈ�� ׸�� Ӽ�� ۾�; ��û�ϸ� �� ACI�� Ͽ� �� ۾�; ��ؾ� �� ź��ؾ� �� Ȯ��ϱ� '�� ; ��մϴ�. ��; ��d�� 8�� ACI�� aci �Ӽ�� ִ� �׸�� ' �׸�� Ӽ�� ˴ϴ�.

keyword�� /��; ��Ÿ�4ϴ�. ǥ 6-1�� Ű�� =�� : �� /��; d��մϴ�.

��丮 �׸��̳� ��' Ʈ��

�׸� �Ӽ�

LDAP ��Ϳ� ��ġ�ϴ� �׸��̳� �Ӽ� ��

LDAP ��Ϳ� ��ġ�ϴ� �Ӽ� ��̳� �� v��

��=(=): �� expression�� d�� ü��; ��Ÿ��, �� =(!=): �� expression�� d�� ü�� ƴ�; ��Ÿ�4ϴ�.



��	targattrfilters Ű��忡 ��ؼ�� "�� =" ��ڸ� �� 4ϴ�.

expression: Ű��带 ��Ͽ� ��; �ĺ��ϸ�, �� targetattr=*�� : ǥ��; �� expression; �ο� ��ȣ("")�� մϴ�. �׷�� ˻簡 �� 8�Ƿ� �׻� �ο� ��ȣ�� ؾ� �մϴ�.

ǥ 6-1 LDIF target Ű��
Ű��	/ȿ�� ǥ��	��ϵ�ī��
��	ldap:///distinguished_name	��
targetattr	�Ӽ�	��
targetfilter	LDAP_filter	��
targattrfilters	LDAP_operation:LDAP_filter	��

�� 丮 �׸� ��d

Ưd ��丮 �׸�� ' �׸�; ��8�� d�Ϸx� LDAP URL�� DN�� target Ű��带 ��մϴ�. ��d�� DN: ACI�� d�ǵ� �׸�� ' Ʈ�� 'ġ�ؾ� �մϴ�. �� ǥ�� : ��=�� 4ϴ�.

(target = "ldap:///distinguished_name")
(target != "ldap:///distinguished_name")

��/ �̸�: ACI�� d�ǵ� �׸�� Ʈ�� Ǵ� ��' Ʈ�� 'ġ�ؾ� �մϴ�. �� , ou=People,dc=example,dc=com�� ACI�� =�� : ��; �� ֽ4ϴ�.

DN�� ϵ�ī�带 ��Ͽ� LDAP URL�� ġ�ϴ� �׸�; �� 8�� d�� ֽ4ϴ�. ��=: ��ϵ�ī�带 �ùٷ� �� Դϴ�.


��	�׸�� DN: ��ڿ� ǥ�� / �̸��̾�� մϴ�(RFC 2253). �� ǥ�� DN�� ߿�� ڴ� ��(\)�� Ͽ� �̽��ؾ� �մϴ�. �� =�� 4ϴ�. (target="ldap:///uid=cfuentes,o=Example Bolivia\, S.A.")

uid=*,ou=*,dc=example,dc=com�� ϵ�ī�带 �� ֽ4ϴ�. �� example.com Ʈ�� uid �� ou �Ӽ�� Ե� ��/ �̸�; �� ׸�� ˴ϴ�.

�� Ӽ� ��d

��丮 �׸�; ��8�� d�ϴ� �� ̿ܿ� �� ׸� �ִ� �ϳ� �̻�� Ӽ� �Ǵ� �ϳ� �̻�� Ӽ�; f�� Ӽ�; ��8�� d�� ֽ4ϴ�. �� : �κ�� ׸� d�� ׼�� ϰų� �ź�� 쿡 /��մϴ�. �� d�� ׸�� ̸�, ��, ��ȭ ��ȣ �Ӽ�� ؼ�� ׼�� ֽ4ϴ�. �Ǵ� �� Ϳ� ��: �߿�� d�� ׼�� ź�� ֽ4ϴ�.


��	��/ �̸�� b�̾� �κп�� ϵ�ī�带 �� 4ϴ�. ��, ��丮�� b�̾� c=US�� c=GB�� 쿡�� =�� : ��; ��Ͽ� �� b�̾ ��v�� ��4ϴ�. (target="ldap:///dc=example,c="). uid=bjensen,o=.com�� : ��; �� 4ϴ�.

targetattr ��Ģ�� 8�� ⺻��8��  �Ӽ�� ׼�� 4ϴ�. �� Ӽ�� ׼��Ϸx� targetattr="*"�� Ģ; ��d�ؾ� �մϴ�.

��8�� d�� Ӽ�� ׸��̳� ��' Ʈ�� ݵ�� Ե� �ʿ�� ACI�� Ӽ�� ԵǾ� ��; �� ˴ϴ�. ��8�� d�� Ӽ�: ��Ű�� d�� ʾƵ� �˴ϴ�. ��Ű�� ˻縦 �� 8�� Ϳ� ��Ű�� n�1� �� ׼�� f�� då; �� ֽ4ϴ�.

�� Ӽ�; ��d�Ϸx� targetattr Ű��带 ��ϰ� �Ӽ� �̸�; ��d�մϴ�. targetattr Ű��忡 ��Ǵ� ��: ��=�� 4ϴ�.

targetattr Ű��带 �Ʒ� ��8�� ϸ� �� Ӽ�; ��8�� d�� ֽ4ϴ�.

(targetattr = "attribute1 || attribute2 ... || attributen")
(targetattr != "attribute1 || attribute2 ... || attributen")

�� ׸�� ̸�, ��, uid �Ӽ�; ��8�� d�Ϸx� ��=�� : ��; ��մϴ�.

�� Ӽ�� d�� Ӽ�� ' /�� Ե˴ϴ�. �� , (targetattr = "locality")�� locality;lang-fr�� 8�� d�մϴ�. (targetattr = "locality;lang-fr-ca")�� Ư�� ' /��; ��8�� d�� ֽ4ϴ�.

targetattr ��Ģ�� ϵ�ī�带 �� , Ư�� ǹ̰� ��8�� ϵ� �� 8�Ƿ� �� ʴ� �� }4ϴ�.

�� ׸�� Ӽ� �� d

�⺻��8�� targetattr Ű��尡 ��Ե� ACI�� ACI�� 'ġ�� ִ� �׸�; ��8�� d�մϴ�. ��, ��=�� : ACI�� d�� ʽÿ�.

'�� ACI�� ou=Marketing, dc=example,dc=com �׸� ��ġ�ϸ� ��ü Marketing ��' Ʈ�� ACI�� ˴ϴ�. �� =�� target Ű��带 ��Ͽ� ��8�� ; ��d�� ֽ4ϴ�.

aci: (target="ldap:///uid=*,ou=Marketing,dc=example,dc=com")
(targetattr="uid") (accessControlRules;)

LDAP ��͸� �� ׸� �Ǵ� �Ӽ� ��d

LDAP ��͸� ��Ͽ� Ưd v�ǿ� �´� �׸� ��; ��8�� d�� ֽ4ϴ�. �̷�� Ϸx� targetfilter Ű��带 LDAP ��Ϳ� �Բ� ��մϴ�. ACI�� Ե� �׸�� ' Ʈ�� Ϳ� ��ġ�ϴ� �� ׸� ACI�� ˴ϴ�.

��⼭ LDAPfilter�� ǥ�� LDAP �˻� ��Դϴ�. �� ڼ�� : LDAP �˻� �� v�Ͻʽÿ�.

�� , ��; ��Ÿ�� ׸� d��̳� �� °� �ְ�, �ٹ� �ð�; ��Ÿ�� Ӽ�� 2�� ǥ�õȴٰ� ��d�� ʽÿ�. �� ̳� ��Ʈ Ÿ�� ; ��Ÿ�� ׸�; ��8�� d�Ϸx� ��=�� : ��͸� ��մϴ�.

Netscape Ȯ�� : ACI�� ʽ4ϴ�. �� =�� : �� ʹ� �߸�� Դϴ�.

�׷�� ġ ��Ģ; ��ϴ� �� : ��˴ϴ�. �� =�� 4ϴ�.

�� ʹ� �� ׸�; ACI�� 8�� մϴ�. targetfilter Ű�� targetattr Ű��带 ��Ͽ� �� ׸� ��Ե� �Ӽ�� κ� ��տ� ��Ǵ� ACI�� ۼ�� ֽ4ϴ�.

�Ʒ�� LDIF �� ϸ� Engineering Admins �׷�� Engineering ��~�� ׸�� departmentNumber �� manager �Ӽ�; ��d�� ֽ4ϴ�. �� LDAP ��͸�; ��Ͽ� businessCategory �Ӽ�� Engineering8�� d�� ׸�; ��մϴ�.

dn: dc=example,dc=com
objectClass: top
objectClass: organization
aci: (targetattr="departmentNumber || manager")
(targetfilter="(businessCategory=Engineering)")
(version 3.0; acl "eng-admins-write"; allow (write)
groupdn ="ldap:///cn=Engineering Admins, dc=example,dc=com";)

LDAP ��͸� �� Ӽ� �� d

�׼�� f� ��Ͽ� Ưd �Ӽ� ��; ��8�� d�� 8�Ƿ� �Ӽ� �� ACI�� d�ǵ� v�ǿ� ��յǴ� �� Ӽ�� ; �ο��ϰų� �ź�� ֽ4ϴ�. �Ӽ� ��; ��8�� ׼�� ; �ο��ϰų� �ź��ϴ� ACI�� ACI�� մϴ�.


��	��丮�� Ӽ�� ׸�; ��8�� d�� LDAP ��Ͱ� /��ϱ� �� ʹ� �׼�� Ǵ� ��ü �̸�; ��b ��d�� 8�Ƿ� �� ߻��ϱ⵵ �մϴ�. �Ӽ�; �߰��ϰų� ��f�ϸ� ��͸�� ACI�� ׸� �� ǹǷ� ACI�� LDAP ��͸� ��ϴ� ��쿡�� ldapsearch �۾� �� ͸� ��Ͽ� ��Ͱ� �ùٸ� �׸�� Ӽ�; ��8�� d�ϴ�� Ȯ��ؾ� �մϴ�.

�� , v�� ڿ�� ڽ�� ׸� �ִ� nsRoleDN �Ӽ�; ��d�� ִ� ��; �ο�� ֽ4ϴ�. �� "�ֻ�' �� "�� : �߿� ��: �ڽſ�� Ҵ�� d�Ϸp� �մϴ�. �� LDAP ��͸� ��Ͽ� �Ӽ� �� v��; ��w�ϴ�� ˻�� ֽ4ϴ�.

�� ACI�� ۼ��Ϸx� targattrfilters Ű��带 ��=�� : ��8�� ؾ� �մϴ�.

(targattrfilters="Op=attr1:F1 [(&& attr2:F2)*][;Op=attr:F [(&& attr:F)*]”)

�׸�; �ۼ��ϴ� �� Ͱ� �� ׸�� Ӽ�� Ǹ� �ش� �Ӽ�� ν��Ͻ�� ͸� ��w�ؾ� �մϴ�. �׸�; ��f�ϴ� ��쿡�� Ͱ� �׸�� Ӽ�� Ǹ� �ش� �Ӽ�� ν��Ͻ�� ͸� ��w�ؾ� �մϴ�.

�׸�; ��d�Ͽ� �Ӽ�; �߰��ϴ� �� ش� �Ӽ�� Ǵ� �߰� ��͸� ��w�ؾ� �ϰ�, �Ӽ�; ��f�ϴ� �� ش� �Ӽ�� Ǵ� ��f ��͸� ��w�ؾ� �մϴ�. �׸�� Ӽ� ��; �ٲٴ� ��쿡�� ߰� ��Ϳ� ��f ��͸� �� w�ؾ� �մϴ�.

(targattrfilters="add=nsroleDN:(!(nsRoleDN=cn=superAdmin)) && telephoneNumber:(telephoneNumber=123*)")

�� ͸� ��ϸ� ��ڰ� superAdmin ��; f�� (nsRoleDN �Ӽ�); �ڽ�� ׸� �߰�� 8�� 123 b�ξ �ִ� ��ȭ ��ȣ�� ߰�� ֽ4ϴ�.

�� 丮 �׸�; ��8�� d

�� ׸�; ��8�� d�ϴ� �� : �� =�� : ��ü ��; �� ֽ4ϴ�.


��	Directory Server �ֿܼ�� ACI�� ۼ�� 4ϴ�.

targetfilter Ű��带 ��Ͽ� ��ϴ� �׸񿡸� ǥ�õǴ� �Ӽ� ��; ��d�� ֽ4ϴ�. �� , Directory Server�� ġ�ϴ� �� =�� : ACI�� ۼ��˴ϴ�.

aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))
(version 3.0; acl "Default anonymous access";
allow (read, search) userdn="ldap:///anyone";)

�� ACI�� o �Ӽ�� NetscapeRoot ��; �� o=NetscapeRoot �׸񿡸� ��˴ϴ�.

�̷�� ; �� ߿� ��丮 Ʈ�� Ǹ� �̿� �� ACI�� d�ؾ� �ϴ� ��a�� ֽ4ϴ�.

��ũ�θ� ��Ͽ� �� d��

��ũ�θ� ��Ͽ� ACI�� κп� DN; ��d��8�ν� ��丮�� Ǵ� ACI�� ȭ�� ֽ4ϴ�. �ڼ�� : �� ׼�� f��: ��ũ�� ACI ��; ��v�Ͻʽÿ�.

�� d��

��: �� Ǵ� �źεǴ� �׼�� /��; ��d�մϴ�. ��丮�� Ưd �۾�; �� ִ� ��; ��ϰų� �ź�� 8��, ��d�� ִ� �پ�� ۾� ���̶�� մϴ�.

�׼�� Ǵ� �ź�

��丮 Ʈ�� ׼�� ; ��8�� ϰų� �ź�� ֽ4ϴ�. �׼�� ϴ� �� ź��ϴ� ��쿡 �� ڼ�� ħ: Directory Server Deployment Planning Guide�� "Designing Access Control"; ��v�Ͻʽÿ�.

�� d

��: ��ڰ� ��丮 ��Ϳ� �� ִ� Ưd �۾�; �ڼ�� մϴ�. �� ; �� Ǵ� �ź��ϰų� ��= �� ϳ� �̻�� ; ��d�� ֽ4ϴ�.

�б�. ��ڰ� ��丮 ��͸� ��; �� ִ�� θ� ��Ÿ�4ϴ�. �� : �˻� �۾�� ˴ϴ�.

��. ��ڰ� �Ӽ�; �߰�, ��d �Ǵ� ��f�Ͽ� �׸�; ��d�� ִ�� θ� ��Ÿ�4ϴ�. �� : ��d �۾�� modrdn �۾� ��˴ϴ�.

�߰�. ��ڰ� �׸�; �ۼ�� ִ�� θ� ��Ÿ�4ϴ�. �� : �߰� �۾�� ˴ϴ�.

��f. ��ڰ� �׸�; ��f�� ִ�� θ� ��Ÿ�4ϴ�. �� : ��f �۾�� ˴ϴ�.

�˻�. ��ڰ� ��丮 ��͸� �˻�� ִ�� θ� ��Ÿ�4ϴ�. ��ڴ� �˻� �� б� �� ־�߸� �˻� �� Ϻη� ��ȯ�� ͸� �� ֽ4ϴ�. �� : �˻� �۾�� ˴ϴ�.

��. ��ڰ� �ڽ�� f�� Ϳ� ��丮�� ͸� �� ִ�� θ� ��Ÿ�4ϴ�. �� ; �� 丮�� vȸ�� 4��Ͽ� �� Ǵ� �� ޽�� ȯ�� ڰ� �׸��̳� �Ӽ� ��; �� 4ϴ�. �� : �� ۾�� ˴ϴ�.

��ü ��. ��ڰ� �� ׸�� Ӽ�� ڽ�� DN; �߰��ϰų� ��f�� ִ�� θ� ��Ÿ�4ϴ�. �� Ӽ�� : "��/ �̸�"�̾�� մϴ�. �� : �׷� �� ˴ϴ�. ��ü �� wϽ� �� Բ� �۵��Ͽ�, ��ε�� DN�� ƴ� �wϽ� DN; �׷� �׸� �߰��ϰų� ��f�� ִ� ��; �ο��մϴ�.

�wϽ�. ��d�� DN�� ٸ� �׸�� ; ��Ͽ� �� ׼�� ִ�� θ� ��Ÿ�4ϴ�. ��丮 �� DN; f��ϰ� ��丮�� DN; �� wϽ� �׼�� ; �ο�� ֽ4ϴ�. ��丮 ��ڿ��Դ� �wϽ� ��; �ο�� 4ϴ�. �wϽ� �� ACI �� ڼ�� ֽ4ϴ�.

��n�1�. �� ׼�� : ��d DN �۾�� մϴ�. �� : ��d�� DN�� ׸�; ��n�� ִ�� θ� ��Ÿ�4ϴ�.

��. �� ׼�� : ��d DN �۾�� մϴ�. �� : ��d�� DN�� ׸�; �� ִ�� θ� ��Ÿ�4ϴ�.

��. ��8�� d�� ׸� �б�, ��, �˻�, ��f, �� ü �� d�� DN�� =; ��Ÿ�4ϴ�. �� ׼�� (��): ��8�� d�� ׸� �wϽ�, ��n�1� �� ; f�� ʽ4ϴ�.

��: �� 8�� ο��˴ϴ�. �� , �߰� ��; �� ڴ� �׸�; �ۼ�� f �� Ư�� ο�� : �� ׸�; ��f�� 4ϴ�. �� 丮�� ׼�� f�� då; ��ȹ�� ڿ�� ո�� 8�� ; �ο��ؾ� �մϴ�. �� , �б� ��Ѱ� �˻� ��; �ο�� ʰ� �� Ѹ� �ο��ϴ� ��: �ո�� ʽ4ϴ�.

LDAP �۾� �ʿ��

�� ڿ�� Ϸt� LDAP �۾� /�� ο��ؾ� �ϴ� ��ѿ� �� մϴ�.

�� 캸�� ڰ� ��丮�� ˻�� ֵ�� ϱ� '�� d�ؾ� �ϴ� ��; ��Ȯ�� ֽ4ϴ�. �Ʒ� �˻�; ��d�� ʽÿ�.

(target="ldap:///dc=example,dc=com")
ldapsearch -h host -p port -D "uid=bjensen,dc=example,dc=com" \
-w password -b "dc=example,dc=com" \
"(objectclass=*)" mail

bjensen ��ڿ�� ڽ�� ׸� �˻�; '�� ׼�� ; �ο�� ִ�� Ȯ��Ϸx� �Ʒ� ACI�� մϴ�.

aci: (targetattr = "mail")(version 3.0; acl "self access to \
mail"; allow (read, search) userdn = "ldap:///self";)

�� ACI�� objectclass �Ӽ�� ˻� ��; bjensen�� ο�� ʱ� �� ˻� �� ǥ�õ˴ϴ�. '�� ˻� �۾�� Ϸx� ACI�� =�� d�ؾ� �մϴ�.

aci: (targetattr = "mail || objectclass")(version 3.0; acl \
"self access to mail"; allow (read, search) userdn = \
"ldap:///self";)

��

��⼭ rights�� ǥ�� е� Ű�� 8�� Ű�� ȣ�� ֽ4ϴ�. /ȿ�� Ű�� read, write, add, delete, search, compare, selfwrite, proxy import, export �Ǵ� all�Դϴ�.

all �׼�� : �� ׸� proxy, import �� export ��; f�� ʽ4ϴ�.

�Ʒ� �� ε� ��Ģ�� true�� б�, �˻� �� ׼�� ˴ϴ�.

aci: (target="ldap:///dc=example,dc=com") (version 3.0;acl \
"example"; allow (read, search, compare) bindRule;)

��ε� ��Ģ

Ưd �۾�� 丮�� d�ǵ� ACI�� 丮�� ��ε��ؾ� �մϴ�. ��ε��� ε� DN�� й�ȣ(SSL; ��ϴ� ��쿡�� )�� f��Ͽ� ��丮�� α��ϰų� ��ü ��ϴ� ��; �ǹ��մϴ�. ��ε� �۾� f�� ڰ� �� ε� ȯ�濡 �� 丮�� ׼�� ΰ� ��d�˴ϴ�.

ACI�� d�� ѿ�� ʼ� �� ε� �Ű� �� ڼ�� ϴ� �ش� ��ε� ��Ģ�� ֽ4ϴ�.

�ܼ�� ε� ��Ģ: ��丮�� ׼��ϴ� �� Ưd �׷쿡 ��ؾ� �Ѵٰ� ��d�� ֽ4ϴ�. �� ε� ��Ģ: �� Ưd �׷쿡 ��ؾ� �ϸ� �� 8�ú�� 5�� ̿� Ưd IP �ּ�� ý��ۿ�� α��ؾ� �Ѵٰ� ��d�� ֽ4ϴ�.

��ε� ��Ģ: ��丮�� ׼�� ִ� ��, �׼�� ñ� �� Ҹ� d��մϴ�. �� ü��8��, ��ε� ��Ģ: ��=�� : �׸�; ��d�� ֽ4ϴ�.

�� ο� ��ڷ� �̷�� v��; ��Ͽ� �� ε� ��Ģ; �� ֽ4ϴ�. �ڼ�� : �ο� ��ε� ��Ģ ��; ��v�Ͻʽÿ�.

�� RFC 2251 Lightweight Directory Access Protocol(v3)�� ó�� LDAP �� 򰡿� ��Ǵ� �?�� /�� 3�� ?�� ACI�� ? ǥ��; ��մϴ�. ��, �ڿ� f��8�� ǥ�� 򰡰� �ߴܵ� ��ó�� ǥ�� Ұ� d�ǵ�� =8�� 򰡵Ǿ �� ̸� �ùٷ� ó��մϴ�. d�ǵ�� = �� ο� ǥ��Ŀ�� ߻��8�Ƿ� �׼�� ߸� �ο�� ʽ4ϴ�.

��ε� ��Ģ ��

�׼�� δ� ACI�� ε� ��Ģ�� true�� ο� �� d�˴ϴ�. ��ε� ��Ģ: ��= �� ϳ�� մϴ�.

��⼭ ��=(=): ��ε� ��Ģ�� true�� Ƿx� keyword�� expression�� ġ�ؾ� �Ѵٴ� ��; ��Ÿ��, �� =(!=): keyword�� expression�� ġ�� ʾƾ� �Ѵٴ� ��; ��Ÿ�4ϴ�.


��	timeofday Ű�� ε��(<, <=, >, >=)�� մϴ�. �ε��: �� Ű��忡�� ˴ϴ�.

expression: �ο� ��ȣ("")�� ݷ�(;)8�� ؾ� �մϴ�. �� ִ� ǥ��: �� keyword�� ޶��ϴ�.

�Ʒ� ǥ�� Ű�� ǥ�� 8�� ǥ��Ŀ� ��ϵ�ī�带 �� ִ�� ε� ǥ�õǾ� �ֽ4ϴ�.

ǥ 6-2 LDIF ��ε� ��Ģ Ű��
Ű��	/ȿ�� ǥ��	��ϵ�ī��
userdn	ldap:///distinguished_name ldap:///all ldap:///anyone ldap:///self ldap:///parent ldap:///suffix??sub?(filter)	��(DN��)
groupdn	[ldap:///DN]	�ƴϿ�
roledn	[ldap:///DN]	�ƴϿ�
userattr	attribute#bindType �Ǵ� attribute#value	�ƴϿ�
ip	IP_address	��
dns	DNS_host_name	��
dayofweek	sun mon tue wed thu fri sat	�ƴϿ�
timeofday	0 - 2359	�ƴϿ�
authmethod	none simple ssl sasl authentication_method	�ƴϿ�

�� ׼�� d�� - userdn Ű��

�� ׼�� userdn Ű��带 ��Ͽ� d�ǵ˴ϴ�. userdn Ű��忡�� = �� /ȿ�� / �̸�� ϳ� �̻� �־�� մϴ�.

userdn = "ldap:///dn [|| ldap:///dn]..."
userdn != "ldap:///dn [|| ldap:///dn]..."

��⼭ dn: DN�� ְ� anyone, all, self �Ǵ� parent ǥ�� ϳ�� ֽ4ϴ�. ǥ��: ��=�� : ��ڸ� ��v�մϴ�.

�͸� �׼��(anyone Ű��)


��	��ǥ�� DN�� ߿�� ڴ� ��(\)�� Ͽ� �̽��ؾ� �մϴ�.

��丮�� ͸� �׼�� ο��ϸ� ��ε� DN�̳� ��й�ȣ�� f�� ʾƵ� ��ε� ��Ȳ�� 丮�� ׼�� ֽ4ϴ�. �͸� �׼�� Ưd /�� ׼��(��: �б� �׼�� Ǵ� �˻� �׼��)�� f��ϰų� ��丮�� ׸��̳� Ưd ��' Ʈ�� f�� ֽ4ϴ�. anyone Ű��带 �� ͸� �׼�� ׼�� մϴ�.

�� , ��ü example.com Ʈ�� ͸� �б� �� ˻� �׼�� Ϸx� dc=example,dc=com ��忡 �Ʒ� ACI�� ۼ��մϴ�.

aci: (version 3.0; acl "anonymous-read-search";
allow (read, search) userdn = "ldap:///anyone";)

�Ϲ� �׼��(all Ű��)

��ε� ��Ģ; ��Ͽ� Ưd �� 丮�� 8�� ε�� ; ��Ÿ�� ֽ4ϴ�. �� all Ű�� ׼�� ϹǷ� �͸� �׼�� ϴ� ��ÿ� �Ϲ� �׼�� ֽ4ϴ�.

�� , �� ڿ�� ü Ʈ�� б� �׼�� ; �ο��Ϸx� dc=example,dc=com ��忡 �Ʒ� ACI�� ۼ��մϴ�.

��ü �׼��(self Ű��)

��ڿ�� ڽ�� ׸� �� ׼�� ο��ǰų� �źεǵ�� d�մϴ�. �� ε� DN�� ׸�� DN�� ġ�ϸ� �׼�� ο��ǰų� �źε˴ϴ�.

�� , example.com Ʈ�� ڿ�� userPassword �Ӽ�� ׼�� ; �ο��Ϸx� dc=example,dc=com ��忡 �Ʒ� ACI�� ۼ��մϴ�.

aci: (targetattr = "userPassword") (version 3.0; acl
"modify own password"; allow (write) userdn = "ldap:///self";)

�θ� �׼��(parent Ű��)

��ε� DN�� ׸�� θ�� 쿡�� ڿ�� ׸� �� ׼�� ο��ǰų� �źεǵ�� d�մϴ�. parent Ű��带 ��Ϸx� �� ֿܼ�� 8�� ACI�� ؾ� �մϴ�.

�� , ��ڰ� ��ε� DN�� ڽ� �׸�; ��d�� ְ� �Ϸx� dc=example,dc=com ��忡 �Ʒ� ACI�� ۼ��մϴ�.

LDAP URL

��=�� URL; ��Ϳ� �Բ� ��Ͽ� ACI�� 8�� ڸ� ��d�� ֽ4ϴ�.

�� , example.com Ʈ�� accounting �б�� engineering �б⿡ �ִ� �� ڴ� ��= URL; ��8�� ڿ� �� ׼�� 8�� ο��ǰų� �źε˴ϴ�.

��ϵ�ī��


��	LDAP URL�� ȣ��Ʈ �̸��̳� ��Ʈ ��ȣ�� d�� ʽÿ�. LDAP URL: �׻� �� ˴ϴ�.

��ϵ�ī�� (*)�� Ͽ� �� ; ��d�� ֽ4ϴ�. �� , �� DN; uid=b*,dc=example,dc=com8�� d�ϸ� ��ε� DN�� b ��ڷ� ��ϴ� ��ڿ��Ը� ��d�� ; ��8�� ׼�� ο��ǰų� �źε˴ϴ�.

LDAP URL�� ?�� OR

�� b�ٿ� �� Ģ; �ۼ��Ϸx� �� LDAP URL�̳� Ű�� ǥ��; ��d�մϴ�. �� =�� 4ϴ�.

��ڰ� DN �� ϳ�� Ͽ� ��ε��ϸ� ��ε� ��Ģ: true�� ˴ϴ�.

Ưd LDAP URL f��

�� =(!=) ��ڸ� ��Ͽ� Ưd URL�̳� DN; f��ϴ� �� b��; d��մϴ�. �� =�� 4ϴ�.

Ŭ��̾�Ʈ�� accounting ��' Ʈ�� ִ� UID �� / �̸�8�� ε�� 8�� ε� ��Ģ: true�� ˴ϴ�. �� ε� ��Ģ: �� ׸�� 丮 Ʈ�� accounting �б� �̿�� 'ġ�� ִ� ��쿡�� ˴ϴ�.

�׷� �׼�� d�� - groupdn Ű��

Ưd �׷�� ڿ� �׼��ϴ� ��; �׷� �׼���� մϴ�. ��ڰ� Ưd �׷쿡 �� DN; ��Ͽ� ��ε�� ׸� �� ׼�� ο��ǰų� �źεǵ�� d�Ϸx� groupdn Ű��带 ��Ͽ� �׷� �׼�� d��մϴ�.

groupdn Ű��忡�� ̻� �׷�� / �̸�� =�� : ��8�� ʿ��մϴ�.

��ε� DN�� groupDNs8�� d�� ׷쿡 ��ϸ� ��ε� ��Ģ: true�� ˴ϴ�. ��= �� groupdn Ű��带 �� f��մϴ�.

�� LDAP URL


��	��ǥ�� DN�� ߿�� ڴ� ��(\)�� Ͽ� �̽��ؾ� �մϴ�.

��ε� DN�� Administrators �׷쿡 ��ϸ� ��ε� ��Ģ: true�� ˴ϴ�. Administrators �׷쿡 ��ü ��丮 Ʈ�� ; �ο��Ϸx� dc=example,dc=com ��忡 �Ʒ� ACI�� ۼ��մϴ�.

aci: (version 3.0; acl "Administrators-write"; allow (write)
groupdn="ldap:///cn=Administrators,dc=example,dc=com";)

LDAP URL�� ?�� OR

groupdn = "ldap:///cn=Administrators,dc=example,dc=com ||
ldap:///cn=Mail Administrators,dc=example,dc=com";

��ε� DN�� Administrators �׷��̳� Mail Administrators �׷쿡 ��ϸ� ��ε� ��Ģ: true�� ˴ϴ�.

�� ׼�� d�� - roledn Ű��

Ưd �� ڿ� �׼��ϴ� ��; �� ׼���� մϴ�. ��ڰ� Ưd ��ҿ� �� DN; ��Ͽ� ��ε��ϴ� �� ׸� �� ׼�� ο��ǰų� �źεǵ�� d�Ϸx� roledn Ű��带 ��Ͽ� �� ׼�� d��մϴ�.

roledn Ű��忡�� = �� /ȿ�� / �̸�� ϳ� �̻� �־�� մϴ�.

��ε� DN�� d�� ҿ� ��ϸ� ��ε� ��Ģ: true�� ˴ϴ�.

�� ġ�� ׼�� d��

��丮�� ε��ϴ� �� Ǵ� �׸�� Ӽ� �� ׸�� Ӽ� �� ġ�ϵ�� d�ϴ� ��ε� ��Ģ; ��d�� ֽ4ϴ�.


��	��ǥ�� DN�� ߿�� ڴ� ��(\)�� Ͽ� �̽��ؾ� �մϴ�.

�� , ��ε� DN�� ׸�� manager �Ӽ�� ִ� DN�� ġ�� 쿡�� ACI�� ϵ�� d�� ֽ4ϴ�. �� ڸ� �׸� �׼�� ֽ4ϴ�.

�� DN ��ġ�� 8�� ε忡 �� ׸�� Ӽ�; �� ׸�� ġ��ų �� ֽ4ϴ�. �� , favoriteDrink �Ӽ�� "beer"�� ڰ� �� favoriteDrink ��; �� ٸ� �� ׸�; ��; �� ֵ�� ϴ� ACI�� ۼ�� ֽ4ϴ�.

userattr Ű��

userattr Ű��带 ��Ͽ� ��ε忡 �� ׸�� ׸� �� ġ��ų �Ӽ� ��; ��d�� ֽ4ϴ�.

�� DN, �׷� DN, �� DN�̳� LDAP �� ̿�� ʿ�� Ӽ� /��; ��ϴ� �� LDIF ��: ��=�� 4ϴ�.


��	�� Ŭ��(CoS) d�ǿ�� Ӽ�: userattr Ű�� Բ� �� 4ϴ�. �� CoS�� Ӽ� ��; ��ϴ� ��ε� ��Ģ�� Ե� ACI�� ۵�� ʽ4ϴ�.

��= �� userattr Ű��带 �پ�� ε� /�� Բ� ��ϴ� �� Ұ��մϴ�.

USERDN ��ε� /��; ��

�� DN; ��8�� ϴ� ��ε忡 �� userattr Ű�� =�� 4ϴ�.

��ε� DN�� ׸�� manager �Ӽ� �� ġ�ϸ� ��ε� ��Ģ: true�� ˴ϴ�. �� ; ��ϸ� �� ڰ� �� Ӽ�; ��d�� ֽ4ϴ�. �� : �� ׸�� manager �Ӽ�� ü DN8�� ǥ�õ� ��쿡�� ۵��մϴ�.

aci: (target="ldap:///dc=example,dc=com")(targetattr="*")
(version 3.0;acl "manager-write";
allow (all) userattr = "manager#USERDN";)

GROUPDN ��ε� /��; ��

�׷� DN; ��8�� ϴ� ��ε忡 �� userattr Ű�� =�� 4ϴ�.

��ε� DN�� ׸�� owner �Ӽ�� d�� ׷�� ̸� ��ε� ��Ģ: true�� ˴ϴ�. �� , �� ; ��Ͽ� �׷�� d�� ϵ�� ֽ4ϴ�. �Ӽ�� ׷� �׸�� DN�� ԵǾ� ��8�� owner �̿�� Ӽ�; �� ֽ4ϴ�.

��ڰ� ��Ű�� ׷�: �� ׷�� 8��, �׷� DN: ��丮�� b�̾ 'ġ�� ֽ4ϴ�. �� /�� ACI�� Ϸx� ��: �ڿ�� ʿ��մϴ�.

�� ׸�� b�̾ �ִ� d�� ׷�; ��ϴ� �� =�� : ǥ��; �� ֽ4ϴ�.

�� ׷� �׸�: dc=example,dc=com b�̾ �ֽ4ϴ�. �� /�� : �� ó�� ֽ4ϴ�.

ROLEDN ��ε� /��; ��

�� DN; ��8�� ϴ� ��ε忡 �� userattr Ű�� =�� 4ϴ�.

��ε� DN�� ׸�� exampleEmployeeReportsTo �Ӽ�� d�� ҿ� ��ϸ� ��ε� ��Ģ: true�� ˴ϴ�. �� , ȸ�� ڿ� �� ø�� ; �ۼ�� ; ��Ͽ� �� ڰ� �ڽź�� : �� d�� ׼�� ֵ�� ׼�� ; �ο�� ֽ4ϴ�.

�� DN: ��丮�� b�̾ 'ġ�� ֽ4ϴ�. �� ͸�� ; ��ϴ� �� /�� ACI�� Ϸx� ��: �� ڿ�� ʿ��մϴ�.

LDAPURL ��ε� /��; ��

LDAP ��͸� ��8�� ϴ� ��ε忡 �� userattr Ű�� =�� 4ϴ�.

��ε� DN�� ׸�� myfilter �Ӽ�� d�� Ϳ� ��ġ�ϸ� ��ε� ��Ģ: true�� ˴ϴ�. myfilter �Ӽ�; LDAP ��Ͱ� ��Ե� �Ӽ�8�� ٲ� �� ֽ4ϴ�.

�Ӽ� �� ִ� ��

�Ӽ� ��; ��8�� ϴ� ��ε忡 �� userattr Ű�� =�� 4ϴ�.

��ε� DN�� DN�� Ե� favoriteDrink �Ӽ� �� Beer�̸� ��ε� ��Ģ: true�� ˴ϴ�.

�� ɰ� �Բ� userattr Ű��

userattr Ű��带 ��Ͽ� ��ε忡 �� ׸�; �� ׸�� ϸ� ACI�� d�� 󿡸� ��ǰ� ��' �׸񿡴� �� ʽ4ϴ�. ACI�� ?�; �� ׸񺸴� �� Ʒ�� Ȯ��Ϸt� �� parent Ű��带 ��ϰ� ACI�� Ʒ�� d�մϴ�.

userattr Ű��带 parent Ű�� Բ� ��ϴ� ��: ��=�� 4ϴ�.

��ε� DN�� ׸�� manager �Ӽ�� ġ�ϸ� �� ε� ��Ģ: true�� ˴ϴ�. ��ε� ��Ģ�� true�� 򰡵� �� ο�� : �� ׸� �� ٷ� �Ʒ�� ׸� ��˴ϴ�.

userattr ��; ��

�Ʒ� �׸�� bjensen ��ڰ� cn=Profiles �׸� �� cn=mail�� cn=news�� Ե� ù �� ڽ� �׸�; �а� �˻�� =; ��Ÿ�4ϴ�.

userattr Ű��带 �� ߰� �� ο�

userattr Ű��带 all �Ǵ� add ��Ѱ� �Բ� ��ϸ� �� ޸� �۵�� ֽ4ϴ�. �Ϲ��8�� Directory Server�� 丮�� ׸�; �ۼ�� θ� �׸�� ƴ� �ۼ��Ǵ� �׸� �� ׼�� ; ��մϴ�. �� userattr Ű��带 ��ϴ� ACI�� 8�� a�� 8�Ƿ� d�� d�˴ϴ�.

aci: (target="ldap:///dc=example,dc=com")(targetattr="*")
(version 3.0; acl "manager-write"; allow (all)
userattr = "manager#USERDN";)

�� ACI�� ڿ�� ϴ� �� ׸� �� ; ��ڿ�� ο��մϴ�. �� ACI /��; �� ۼ��Ǵ� �׸� ��ؼ�� ׼�� 򰡵ǹǷ� �� ڽ�� DN8�� d�� manager �Ӽ�; �� ׸�; �ۼ�� ֽ4ϴ�. �� , �Ҹ�; ǰ: �� Joe(cn=Joe,ou=eng,dc=example,dc=com)�� Ʈ�� Human Resources �б⿡ �׸�; �ۼ��Ͽ� Human Resources �� ο�� ; ��(�Ǵ� ��)�� ֽ4ϴ�.

dn: cn= Trojan Horse,ou=Human Resources,dc=example,dc=com
objectclass: top
...
cn: Trojan Horse
manager: cn=Joe,ou=eng,dc=example,dc=com

�̷�� f�� ϱ� '�� ACI �� wμ�� 0, �� ׸� ��ü�� ߰� ��; �ο�� ʽ4ϴ�. �� parent Ű��带 ��Ͽ� ��x �׸� �Ʒ�� ߰� ��; �ο�� ֽ4ϴ�. �� ߰� ��ѿ� �� θ� �Ʒ�� d�ؾ� �մϴ�. �� , �Ʒ� ACI�� manager �Ӽ�� ε� DN�� ġ�ϴ� dc=example,dc=com�� ׸� �ڽ� �׸�; �߰�� ֽ4ϴ�.

aci: (target="ldap:///dc=example,dc=com")(targetattr="*")
(version 3.0; acl "parent-access"; allow (add)
userattr = "parent[0,1].manager#USERDN";)

�� ACI�� ϸ� ��ε� DN�� θ� �׸�� manager �Ӽ�� ġ�ϴ� ��ڿ��Ը� �߰� �� ο��˴ϴ�.

Ưd IP �ּҷκ�� ׼�� d��

��ε� ��Ģ; ��Ͽ� ��ε� �۾�� ݵ�� Ưd IP �ּҷκ�� ۵ǵ�� d�� ֽ4ϴ�. �� ׼�� d�Ǵ� �ַ� Ưd �ý��̳� ��Ʈ��ũ ��ο�� 丮 ��Ʈ�� ϵ�� f�ϴ� �� ˴ϴ�.

IP �ּҸ� ��8�� ε� ��Ģ; ��d�ϴ� LDIF ��: ��=�� 4ϴ�.

IPaddressList�� = �� ϳ� �̻�� Ұ� ��ǥ�� е� ��Դϴ�.

��丮�� ׼��ϴ� Ŭ��̾�Ʈ�� d�� IP �ּҿ� 'ġ�� 8�� ε� ��Ģ: true�� ˴ϴ�. �� : Ưd �� Ǵ� �ý��8�κ�� Ưd ��丮 �׼�� ϴ� ��쿡 /��մϴ�. ��ڰ� ��ϴ� IP �ּҴ� 'v�� 8�Ƿ� �ŷ�� 4ϴ�. �� d�� Ͽ� ACI�� ۼ�� ʽÿ�.

�� ܼ�� ׼�� f�� ⸦ ��Ͽ� ACI�� Ǵ� Ưd �ý��; d�� ֽ4ϴ�. �ڼ�� : �ֿܼ�� ACI �ۼ�; ��v�Ͻʽÿ�.

Ưd ��8�κ�� ׼�� d��

��ε� ��Ģ: ��ε� �۾�� ݵ�� Ưd ��̳� ȣ��Ʈ �ý��8�κ�� ۵ǵ�� d�� ֽ4ϴ�. �� ׼�� d�Ǵ� �ַ� Ưd �ý��̳� ��Ʈ��ũ ��ο�� 丮 ��Ʈ�� ϵ�� f�ϴ� �� ˴ϴ�.

DNS ȣ��Ʈ �̸�; ��8�� ε� ��Ģ; ��d�ϴ� LDIF ��: ��=�� 4ϴ�.


��	dns Ű��带 ��Ϸx� �ý��ۿ�� DNS�� ̸� ��d ��񽺷� ��ؾ� �մϴ�. DNS�� ̸� ��d ��񽺷� �� ʴ� ��쿡�� ip Ű��带 ��ؾ� �մϴ�.

dns Ű��忡�� ü DNS �� ̸�; ��d�ؾ� �մϴ�. ��; ��d�� ʰ� ȣ��Ʈ�� ׼�� ; �ο��ϸ� �� f�� ߻�� ֽ4ϴ�. �� , �Ʒ� ǥ��: �� ٶ�� ʽ4ϴ�.

��丮�� ׼��ϴ� Ŭ��̾�Ʈ�� d�� ο� 'ġ�� 8�� ε� ��Ģ: true�� ˴ϴ�. �� : Ưd ��8�κ�� ׼�� ϴ� ��쿡 /��մϴ�. �ý��ۿ�� DNS �̿�� ̸� ��d ��񽺸� ��ϸ� ��ϵ�ī�� ۵�� ʽ4ϴ�. �� ׼�� Ưd ��8�� f��Ϸx� Ưd IP �ּҷκ�� ׼�� d�� ó�� ip Ű��带 ��մϴ�.

Ưd �ð� �Ǵ� �� ׼�� d��

Ưd �ð��̳� Ưd ��Ͽ�� ε�� ֵ�� ε� ��Ģ; ��d�� ֽ4ϴ�. �� , ��Ϻ�� ݿ��ϱ�� 8�ÿ� �� 5�� ̿�� ׼�� ϴ� ��Ģ; ��d�� ֽ4ϴ�. �׼�� 򰡿� ��Ǵ� �ð�: Ŭ��̾�Ʈ �ð�� ƴ� Directory Server �ð��Դϴ�.

�ð�; ��8�� ε� ��Ģ; ��d�ϴ� LDIF ��: ��=�� 4ϴ�.

��⼭ operator�� =(=), �� =(!=), �� ŭ(>), ũ�ų� ��=(>=), �� =(<), �۰ų� ��=(<=) �� ϳ��Դϴ�. time: 24�ð� �ð�� ð�� ; ��Ÿ�� 4�ڸ�� ǥ��˴ϴ�(0 - 2359). �� =�� 4ϴ�.

timeofday = "1200";: �ý�� Ŭ�� d�8� ��Ű�� 1�� Ŭ��̾�Ʈ�� 丮�� ׼�� true�� ˴ϴ�.

timeofday != "0100";: �� 1�� ̿�� ð�� ׼�� true�� ˴ϴ�.

timeofday > "0800";: �� 8:01�� 11:59�� ð�� ׼�� true�� ˴ϴ�.

timeofday >= "0800";: �� 8:00�� 11:59�� ð�� ׼�� true�� ˴ϴ�.

timeofday < "1800";: ��d 12:00�� 5:59�� ð�� ׼�� true�� ˴ϴ�.



��	timeofday �� dayofweek ��ε� ��Ģ�� 򰡿� ��Ǵ� �ð�� ¥�� Ŭ��̾�Ʈ �ð�� ƴ� ��丮 �� ð��Դϴ�.

��; ��8�� ε� ��Ģ; ��d�ϴ� LDIF ��: ��=�� 4ϴ�.

dayofweek Ű��忡�� ; ��Ÿ�� 3�� (sun, mon, tue, wed, thu, fri, sat)�� d�մϴ�. �׼�� ο��Ϸt� ��; �� d�մϴ�. �� =�� 4ϴ�.

��ŵ� �� ϳ�� 丮�� ׼��ϸ� ��ε� ��Ģ: true�� ˴ϴ�.

�� ׼�� d��

Ŭ��̾�Ʈ�� Ưd �� ; ��Ͽ� ��丮�� ε��ϵ�� ε� ��Ģ; ��d�� ֽ4ϴ�. �� ִ� �� : ��=�� 4ϴ�.

��⼭ authentication_method�� none, simple, ssl �Ǵ� sasl sasl_mechanism�Դϴ�. �� =�� 4ϴ�.

��

�ο� ��ε� ��Ģ ��

�ο� �� AND, OR, NOT; ��Ͽ� �� ׼�� Ģ; ��d�ϴ� �� ε� ��Ģ; �ۼ�� ֽ4ϴ�.

Directory Server �ܼ�; ��Ͽ� �ο� ��ε� ��Ģ; �� 4ϴ�. LDIF ��ɹ�; �ۼ��ؾ� �մϴ�.

�ο� ��ε� ��Ģ; �� ׻� ��ȣ�� Ͽ� �� Ģ�� d��ؾ� �մϴ�.

�ڿ� �ִ� ��ݷ�(;): �ʼ� �� ȣ�μ� ��~ ��Ģ �ڿ� �ݵ�� Է��ؾ� �մϴ�.

�� bindRuleA�� ϰ�, bindRuleB �� Ǵ� bindRuleC �� bindRuleD ��8�� ε��Ϸx� ��= ��; ��Ͻʽÿ�.

�ٸ� �� ϴ� ��, ��ε� DN Ŭ��̾�Ʈ�� example.com �� ׼�� ְ� �� ׷��̳� �� ޷� �� ׷�� ̶�� = ��ε� ��Ģ�� true�� 򰡵˴ϴ�.

(dns = "*.example.com" and
(groupdn = "ldap:///cn=administrators,dc=example,dc=com" or
(groupdn = "ldap:///cn=mail administrators,dc=example,dc=com" and
groupdn = "ldap:///cn=calendar administrators,dc=example,dc=com"));)

��ٿ�� ACI �ۼ�

LDIF ��ɹ�; ��Ͽ� ��8�� ׼�� f�� ; �ۼ�� = ldapmodify ��; ��Ͽ� ��丮 Ʈ�� ߰�� ֽ4ϴ�. ACI ��: �ſ� �� 8�Ƿ� ��x ��; �� ̸� ��Ͽ� �� ; �ۼ��ϴ� �� }4ϴ�.

ACI �Ӽ� ��

ACI�� ϳ� �̻�� aci �Ӽ� ��8�� ׸� ��˴ϴ�. aci �Ӽ�: ��丮 ��ڰ� �а� ��d�� ִ� �� ; �� ۵� �� Ӽ�8��, �� Ӽ� ��ü�� ACI�� ȣ�ؾ� �մϴ�. ��ü�� ִ� ��ڴ� aci �Ӽ�� ü �׼�� ; �� = �� 8�� Ӽ� ��; �� ֽ4ϴ�.

�Ϲ� ��⿡�� ٸ� �� : ��8�� aci �Ӽ� ��; �� ֽ4ϴ�. Directory Server �ܼ�� ֻ�' �� 丮 �ǿ�� ACI�� ִ� �׸�; ��콺 �8�� ư8�� Ϲ� �� ޴� �׸�; ��մϴ�. �� aci ��: ��ü�� ڿ��̱� �� ȭ ��ڿ�� ϱ�� ƽ4ϴ�.

�� 쿡�� 丮 Ʈ�� ش� �׸�; ��콺 �8�� ư8�� ׼�� d �޴� �׸�; ��Ͽ� �׼�� f�� ⸦ �� ֽ4ϴ�. ACI �� ϰ� ��; �� = ��8�� ; �� ش� aci ��; ǥ��մϴ�. ACI �� ð� ��⸦ ��ȯ�Ͽ� aci �� ; �� ֽ4ϴ�.

��  üf�� Ϲ� ��⳪ �� ׼�� f�� ⿡�� aci ��; ��Ͽ� LDIF ��Ͽ� �ٿ��; �� ֽ4ϴ�. �� ִ� ��ڴ� �Ʒ�� ldapsearch ��; ��Ͽ� �׸�� ACI �Ӽ�; �� ֽ4ϴ�.

ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
-b entryDN -s base "(objectclass=*)" aci

�� LDIF �ؽ�Ʈ�� ǥ�õǸ�, �� ؽ�Ʈ�� LDIF ACI d�ǿ� ��Ͽ� �� ֽ4ϴ�. ACI �� ڿ��̱� �� ldapsearch �۾�� : �� ٿ� �� ǥ�õǸ�, ù ĭ�� 8�� ӵ� ��; ��Ÿ�4ϴ�. �̸� ��ؼ� LDIF ��; ��Ͽ� �ٿ��ֽ4ϴ�.


��	aci �� ο��ǰų� �źεǴ� ��; Ȯ��Ϸx� /ȿ �� v�Ͻʽÿ�.

�ֿܼ�� ACI �ۼ�

��丮�� aci �Ӽ�� ִ� �׸�; ǥ��ϵ�� Directory Server �ܼ�; �� ֽ4ϴ�. �� ÷��̸� ��ȯ�Ϸx� �� > ǥ�� > ACI �� ޴� �׸�; ��ϰų� �� մϴ�. �ֻ�' �� 丮 �ǿ� ��ŵ� �� ׸� �ڿ� �ش� aci �Ӽ�� d�ǵ� ACI �� ǥ�õ˴ϴ�. �׷� �Ŀ� Directory Server �ܼ�; ��Ͽ� ��丮�� ׼�� f�� ; ��ų� �ۼ��ϰ� �� f�� ֽ4ϴ�.

Directory Server �� då�� Ϲ��8�� Ǵ� �׼�� f�� Ģ ��=�� Directory Server �ܼ�; ��Ͽ� �׼�� f�� Ģ; �ۼ��ϴ� �ܰ躰 ��ħ: �׼�� f�� v�Ͻʽÿ�.

�Ϻ� �� ACI�� ð�� ׼�� f�� ⿡�� 4ϴ�. Ư�� ׼�� f�� ⿡�� =�� : �۾�: �� 4ϴ�.

�׸�� ACI ��


��	�׼�� f�� ⿡�� 8�� ư; �� f�� ׷�� ̽�� ; LDIF ǥ�÷� Ȯ�� ֽ4ϴ�.

Directory Server �ܼ�� ֻ�' �� 丮 �ǿ�� 丮 Ʈ�� Ž��Ͽ� �׼�� f� ��d�� ׸�; ǥ��մϴ�. ACI�� Ϸx� ��丮 ��(directory administrator) �Ǵ� ��丮 ��(directory manager) �� ־�� մϴ�.

�׸�; ��콺 �8�� ư8�� ˾� �޴�� ׼�� d; ��մϴ�. �Ǵ� �׸�; �� 콺 ��ư8�� = ��ü �޴�� ׼�� d; ��մϴ�.

�Ʒ� �׸�� ׼�� f�� ȭ ��ڰ� ǥ�õ˴ϴ�. �� ȭ ��ڿ�� ׸� d�ǵ� �� ACI�� ǥ�õǸ� ACI�� ϰų� f��ϰ� �� ACI�� ۼ�� ֽ4ϴ�.

�׸� 6-2 �׼�� f�� ȭ ��
ou=People,dc=example,dc=com�� ׼�� f�� â �� ׸񿡼� d�ǵ� ACI�� ڿ� ��

��ӵ� ACI ǥ�� Ȯ�ζ�; ��ϸ� �� ׸�� θ� �� d�ǵ� ACI�� ׸� ��Ǵ� ACI�� ǥ�õ˴ϴ�. ��ӵ� ACI�� ϰų� f�� 8�Ƿ� �ش� ACI�� d�ǵ� �׸񿡼� ��ؾ� �մϴ�.

�� ü�� ü ��' Ʈ�� ׼�� ; d��Ϸx� �� ⸦ ��ϴ�. �׸� 6-3�� ACI ��Ⱑ ǥ�õ˴ϴ�.

�׸� 6-3 ACI �� ȭ ��
ou=People,dc=example,dc=com�� ACI �� â �� ACI�� d��ϴ� �׷�� ̽�

�� ȭ �� '�� ִ� ACI �̸�: ACI�� 8�� ׼�� f�� ȭ ��ڿ� ǥ�õ˴ϴ�. ACI�� ϴ� �̸�; ��d�ϸ� ��丮��, Ư�� ׸񿡼� ��ӵ� ACI�� ACI�� ֽ4ϴ�.

�׼�� f�� ; ��ϸ� �׼�� ο��ǰų� �źε� ��, �׼�� ̰ų� �׼�� f�ѵ� ��, �� ȣ��Ʈ �̸� �� ۵� �ð�� : �� Ű� �� d�� ֽ4ϴ�. �׼�� f�� ʵ忡 �� ڼ�� : �¶�� ; ��v�Ͻʽÿ�.

ACI �� : ACI �� ; �׷��8�� ǥ��մϴ�. �ؽ�Ʈ�� ACI ��; �� Ϸx� ��8�� ; ��ϴ�. �ؽ�Ʈ ��⿡�� ǿ�� d�� ACI�� d�� ֽ4ϴ�. �� ACI ��; �� Ŀ�� ; �� �ʴ�� �� ̻� �ð��8�� ACI�� 4ϴ�.

�� ACI �ۼ�

�׼�� f�� ⸦ ǥ��մϴ�.

�� ۾� ��ؼ�� ׸�� ACI �� մϴ�.

�׸� 6-3�� ٸ�� ǥ�õǸ� �ð��8�� ư; ��ϴ�.

ACI �̸� �ؽ�Ʈ ��ڿ� �̸�; �Է��Ͽ� ACI�� d�մϴ�.

ACI�� /�ϰ� �ĺ��ϴ� ��ڿ�; �̸�8�� ֽ4ϴ�. �̸�; �Է�� 8�� ̸� �� ACI�� մϴ�.

��/�׷� �ǿ�� ڸ� ��v ǥ��ϰų� �߰� ��ư; �� 丮�� ߰�� ڸ� �˻��Ͽ� �׼�� ; �ο�� ڸ� ��մϴ�.

�� ׷� �߰� â�� =; ��մϴ�.

��Ӵٿ� ��Ͽ�� ˻� ��; ��ϰ� �˻� �ʵ忡 �˻� ��ڿ�; �Է�� = �˻� ��ư; ��ϴ�.

�Ʒ� ��Ͽ� �˻� �� ǥ�õ˴ϴ�.

�˻� �� Ͽ�� ϴ� �׸�; ��v ǥ�� = �߰� ��ư; �� ׼�� ִ� �׸� ��Ͽ� �߰��մϴ�.

Ȯ��; �� ׷� �߰� â; �ݽ4ϴ�.

��f �� ׸�� ACI �� /�׷� �ǿ� ǥ�õ˴ϴ�.

�׼�� f�� ⿡�� ; �� Ȯ�ζ�; ��Ͽ� �ο�� ; ��մϴ�.

�� ; �� = �� ׸�; �� ACI �� 带 ǥ��մϴ�.

�� DN ��; �� DN: �� ׸�� b �Ǵ� ��b �ڽ��̾�� մϴ�.

�� ' Ʈ�� ִ� �Ϻ� �׸񿡸� ACI�� Ϸx� ��' �׸�� ʵ忡 ��͸� �Է��ؾ� �մϴ�.

�� Ӽ� ��Ͽ�� Ӽ�; ��ϸ� Ưd �Ӽ�� ACI�� ǵ�� '�� f�� ֽ4ϴ�.

ȣ��Ʈ ��; �� = �߰� ��ư; �� ȣ��Ʈ �� ߰� ��ȭ ��ڸ� ǥ��մϴ�.

ȣ��Ʈ �̸��̳� IP �ּҸ� ��d�� ֽ4ϴ�. IP �ּҸ� ��d�� ϵ�ī�� (*)�� ֽ4ϴ�.

�ð� ��; �� ׼�� ð�; ��Ÿ�� ̺�; ǥ��մϴ�.

�⺻��8�� ׻� �׼�� ˴ϴ�. ��̺�; �� ¿�� Ŀ�� ׼�� ð�; �� ֽ4ϴ�. �ð� ��; ��8�� 4ϴ�.

ACI �� Ȯ��; ��ϴ�.

ACI ��Ⱑ �� ACI �� â�� ACI�� ǥ�õ˴ϴ�.



��	ACI �ۼ� �߿� ��f�� 8�� ư; �� Է� ��뿡 �ش��ϴ� LDIF ��ɹ�; ǥ�� ֽ4ϴ�. �� ɹ�; ��d�� ׷�� ̽�� ׻� ǥ�õǴ� ��: �ƴմϴ�.

ACI ��

ACI ��f

�׼�� f��

�� ISP ��ü�� example.com�� ׼�� f�� då; ��ϴ� �� f��մϴ�. �� ܼ� �� LDIF ��; ��Ͽ� ��d�� ۾�; ��ϴ� �� մϴ�.

example.com: % ȣ�� 񽺿� ��ͳ� �׼�� f��ϸ� % ȣ�� Ϻη� Ŭ��̾�Ʈ �� 丮�� ȣ��մϴ�. example.com: ��f�� ߼� ��(Company333�� Company999)�� 丮�� ȣ��ϰ� ��8�� Ϻ� �� ۾� ��մϴ�. �� ټ�� ڿ�� ͳ� �׼�� f��մϴ�.

example.com ��鿡�� ü example.com Ʈ�� а�, �˻� �� ִ� �͸� �׼�� ο�(�͸� �׼�� ο� ��v)

example.com ��鿡�� homeTelephoneNumber, homeAddress �� d�� ο�(�� ׸� �� ׼�� ο� ��v)

example.com ��鿡�� ߿�� Ưd ��; f�� ; �ڽ�� ׸� �߰�� ִ� �� ο�(�߿� ��ҿ� �� ׼�� f�� v)

example.com Human Resources �׷쿡 People �б�� ׸� �� ο�(�׷쿡 b�̾ �� ü �׼�� ο� ��v)

example.com ��鿡�� 丮�� Social Committee �б⿡ �׷� �׸�; �ۼ�� ִ� ��Ѱ� ��/�� ׷� �׸�; ��f�� ִ� �� ο�(�׷� �׸� �߰� �� f �� ο� ��v)

example.com ��鿡�� 丮�� Social Committee �б�� ׷� �׸� �ڽ�; �߰�� ִ� �� ο�(��ڰ� �׷쿡 �ڽ�; �߰� �Ǵ� f�� ֵ�� v)

SSL ��, �ð� �� ¥ f��, ��d�� 'ġ�� : Ưd v��; ��Ͽ� Company333 �� Company999�� 丮 ��(��)�� 丮 Ʈ�� ش� �б⿡ �� ׼�� ο�(�׷��̳� ��ҿ� v�Ǻ� �׼�� ο� ��v)

�� ڿ�� ڽ�� ׸� �� ׼�� ο�(�� ׸� �� ׼�� ο� ��v)

�� ڰ� �ڽ�� ׸� �ִ� ��f d�� ׼�� ϵ�� ź�(�׼�� ź� ��v)

Ư�� Ͽ� ǥ�� ʵ�� û�� ڸ� f��ϰ� �� ' Ʈ�� ͸� �׼�� ο�. ��丮�� κ�: ��ȭ�� ܺ�� ̺� �� Ϸ翡 �� Ʈ�� ֽ4ϴ�. �͸� �׼�� ο� �� ͸�; �� d; ��v�Ͻʽÿ�.

�͸� �׼�� ο�

��κ�� 丮�� б�, �˻� �Ǵ� �񱳸� '�� ϳ� �̻�� b�̾ �͸�8�� ׼�� ֵ�� մϴ�. �� , ��ȭ ��ȣ�� ˻�� ִ� �λ� ��丮�� ϴ� �� ̷�� ; ��d�� ֽ4ϴ�. example.com �� 찡 �̿� �ش��ϸ� ACI "Anonymous example.com" �� ڼ�� մϴ�.

�� example.com: ISP�μ� �� ̿�� ִ� �� ȭ ��ȣ�θ� �ۼ��Ͽ� �� ó d�� f��Ϸp� �մϴ�. ��⿡ ��ؼ�� ACI "Anonymous World" �� մϴ�.

ACI "Anonymous example.com"

example.com ��鿡�� ü example.com Ʈ�� б�, �˻� �� ; �ο��Ϸx� LDIF�� Ʒ� ��ɹ�; �ۼ��մϴ�.

aci: (targetattr !="userPassword")(version 3.0; acl "Anonymous
example"; allow (read, search, compare)
userdn= "ldap:///anyone" and dns="*.example.com";)

�� dc=example,dc=com �׸� aci�� ߰��Ѵٰ� ��d�մϴ�. userPassword �Ӽ�: ACI ��'�� f�ܵ˴ϴ�.

��丮 �� Ž�� Ʈ�� example.com ��带 ��콺 �8�� ư8�� ˾� �޴�� ׼�� d; ��Ͽ� �׼�� f�� ڸ� ǥ��մϴ�.

�� ⸦ �� ׼�� f�� ⸦ ǥ��մϴ�.

��/�׷� �� ACI �̸� �ʵ忡 "Anonymous example.com"; �Է��մϴ�. �׼�� ο�� Ͽ� �� ڰ� ǥ�õǴ�� Ȯ��մϴ�.

�� ǿ�� б�, �� ˻� �� Ȯ�ζ�; ��մϴ�. �ٸ� Ȯ�ζ�: �� ؾ� �մϴ�.

�� ǿ�� ׸�; �� 丮 �׸� �ʵ忡 dc=example,dc=com b�̾ ǥ��մϴ�. �Ӽ� ��̺?�� userPassword �Ӽ�; ã�� ش� Ȯ�ζ�; �� մϴ�.

�ٸ� Ȯ�ζ�: �� ؾ� �մϴ�. ��ϰ� �� ۾�; ��Ϸx� �̸� �Ӹ��; �� Ӽ� ��; ��ĺ��8�� d��մϴ�.

ȣ��Ʈ �ǿ�� ߰�� = DNS ȣ��Ʈ �� ʵ忡 *.example.com; �Է��մϴ�. Ȯ��; �� ȭ ��ڸ� �ݽ4ϴ�.

�׼�� f�� â�� Ȯ��; ��ϴ�.

�׼�� f�� â�� Ͽ� �� ACI�� ߰��˴ϴ�.

ACI "Anonymous World"

�� ' Ʈ�� б� �� ˻� ��; �ο��ϴ� ��ÿ� ��Ͽ� �� d�� ׼�� ź��Ϸx� LDIF�� Ʒ� ��ɹ�; �ۼ��մϴ�.

aci: (targetfilter= "(!(unlistedSubscriber=yes))")
(targetattr="homePostalAddress || homePhone || mail")
(version 3.0; acl "Anonymous World"; allow (read, search)
userdn="ldap:///anyone";)

�� ou=subscribers, dc=example, dc=com �׸� ACI�� ߰��Ѵٰ� ��d�մϴ�. �� ׸� �� ƴϿ�� d�� unlistedSubscriber �Ӽ�� ִٰ� ��d�մϴ�. �� d�Ǵ� �� Ӽ� ��; ��8�� Ͽ� �� ڸ� ��͸��մϴ�. �� d�ǿ� �� ڼ�� : ��͸�; �� d; ��v�Ͻʽÿ�.

��丮 �� Ž�� Ʈ�� example.com �� Ʒ�� Subscribers �׸�; ��콺 �8�� ư8�� ˾� �޴�� ׼�� d; ��Ͽ� �׼�� f�� ڸ� ǥ��մϴ�.

�� ⸦ �� ׼�� f�� ⸦ ǥ��մϴ�.

��/�׷� �� ACI �̸� �ʵ忡 "Anonymous World"�� Է��մϴ�. �׼�� ο�� Ͽ� �� ڰ� ǥ�õǾ� �ִ�� Ȯ��մϴ�.

�� ǿ�� б� �� ˻� �� Ȯ�ζ�; ��մϴ�. �ٸ� Ȯ�ζ�: �� ؾ� �մϴ�.

�� ǿ�� ׸�; �� 丮 �׸� �ʵ忡 dc=subscribers, dc=example,dc=com b�̾ ǥ��մϴ�.

��' �׸� �� ʵ忡 �Ʒ� ��͸� �Է��մϴ�.

(!(unlistedSubscriber=yes))

�Ӽ� ��̺?�� homePhone, homePostalAddress �� mail �Ӽ�� ش��ϴ� Ȯ�ζ�; ��մϴ�.

�ٸ� Ȯ�ζ�: �� ؾ� �մϴ�. ��ϰ� �� ۾�; ��Ϸx� �� ư; �� ̺? �ִ� �� Ӽ�� Ȯ�ζ�; �� =, �̸� �Ӹ��; �� Ӽ�; ��ĺ��8�� d��ϰ� �ش� �Ӽ�; ��մϴ�.

Ȯ��; ��ϴ�.

�׼�� f�� â�� Ͽ� �� ACI�� ߰��˴ϴ�.

�� ׸� �� ׼�� ο�

��κ�� 丮 ��ڴ� �� ڰ� �ڽ�� ׸� �ִ� �Ϻ� �Ӽ�� ֵ�� d�մϴ�. example.com�� 丮 ��ڵ� ��ڰ� �ڽ�� й�ȣ, �� ȭ ��ȣ �� ּҸ� �� ֵ�� d�Ϸp� �մϴ�. ��⿡ ��ؼ�� ACI "Write example.com" �� մϴ�.

�� example.com�� då: ��ڰ� SSL; �� 丮�� ϸ� example.com Ʈ�� ڽ�� d�� Ʈ�� ֵ�� մϴ�. ��⿡ ��ؼ�� ACI "Write Subscribers" �� մϴ�.

ACI "Write example.com"

example.com ��鿡�� й�ȣ, �� ȭ ��ȣ �� ּҸ� ��Ʈ�� ִ� ��; �ο��Ϸx� LDIF�� Ʒ� ��ɹ�; �ۼ��մϴ�.


��	�� ; ��d�ϸ� ��ڿ�� Ӽ� ��; ��f�� ִ� ��ѵ� �ο��ϰ� �˴ϴ�.

aci: (targetattr="userPassword || homePhone ||
homePostalAddress")(version 3.0; acl "Write example.com";
allow (write) userdn="ldap:///self" and dns="*.example.com";)

�� ou=People,dc=example,dc=com �׸� ACI�� ߰��Ѵٰ� ��d�մϴ�.

��丮 �� Ž�� Ʈ�� ou=People,dc=example,dc=com �׸�; ��콺 �8�� ư8�� ˾� �޴�� ׼�� d; ��Ͽ� �׼�� f�� ڸ� ǥ��մϴ�.

�� ⸦ �� ׼�� f�� ⸦ ǥ��մϴ�.

��/�׷� �� ACI �̸� �ʵ忡 "Write example.com"; �Է��մϴ�. �׼�� ο�� Ͽ�� =; ��Ͻʽÿ�.

�� ڸ� ��Ͽ� f�� = �߰�� ϴ�.

�� ׷� �߰� ��ȭ ��ڰ� ǥ�õ˴ϴ�.

�˻� ��; Ư�� 8�� d�ϰ� �˻� �� Ͽ�� ڽ�; ��մϴ�.

�߰� ��ư; �� ׼�� ο�� Ͽ� �ڽ�; �߰��մϴ�.

Ȯ��; �� ׷� �߰� ��ȭ ��ڸ� �ݽ4ϴ�.

�� ǿ�� Ȯ�ζ�; ��մϴ�. �ٸ� Ȯ�ζ�: �� ؾ� �մϴ�.

�� ǿ�� ׸�; �� 丮 �׸� �ʵ忡 ou=People,dc=example,
dc=com; �Է��մϴ�. �Ӽ� ��̺?�� homePhone, homePostalAddress �� userPassword �Ӽ�� ش��ϴ� Ȯ�ζ�; ��մϴ�.

ȣ��Ʈ �ǿ�� ߰�� ȣ��Ʈ �� ߰� ��ȭ ��ڸ� ǥ��մϴ�. DNS ȣ��Ʈ �� ʵ忡 *.example.com; �Է��մϴ�. Ȯ��; �� ȭ ��ڸ� �ݽ4ϴ�.

�׼�� f�� â�� Ȯ��; ��ϴ�.

�׼�� f�� â�� Ͽ� �� ACI�� ߰��˴ϴ�.

ACI "Write Subscribers"

example.com ��ڿ�� й�ȣ, �� ȭ ��ȣ�� Ʈ�� ִ� ��; �ο��Ϸx� LDIF�� Ʒ� ��ɹ�; �ۼ��մϴ�.


��	�� ; ��d�ϸ� ��ڿ�� Ӽ� ��; ��f�� ִ� ��ѵ� �ο��ϰ� �˴ϴ�.

aci: (targetattr="userPassword || homePhone")
(version 3.0; acl "Write Subscribers"; allow (write)
userdn= "ldap://self" and authmethod="ssl";)

�� ou=subscribers,dc=example, dc=com �׸� aci�� ߰��Ѵٰ� ��d�մϴ�.

example.com ��ڿ��Դ� �� ּҿ� �� ׼�� 4ϴ�. �� Ӽ�: example.com�� ʼ� ��f d�� ߿��ϱ� �� ڰ� ��f�� ϵ�� ׼�� źε˴ϴ�.

��丮 �� Ž�� Ʈ�� example.com �� Ʒ�� Subscribers �׸�; ��콺 �8�� ư8�� ˾� �޴�� ׼�� d; ��Ͽ� �׼�� f�� ڸ� ǥ��մϴ�.

�� ⸦ �� ׼�� f�� ⸦ ǥ��մϴ�.

��/�׷� �� ACI �̸� �ʵ忡 "Write Subscribers"�� Է��մϴ�. �׼�� ο�� Ͽ�� =; ��մϴ�.

�� ڸ� ��Ͽ� f�� = �߰�� ϴ�.

�� ׷� �߰� ��ȭ ��ڰ� ǥ�õ˴ϴ�.

�˻� ��; Ư�� 8�� d�ϰ� �˻� �� Ͽ�� ڽ�; ��մϴ�.

�߰� ��ư; �� ׼�� ο�� Ͽ� �ڽ�; �߰��մϴ�.

Ȯ��; �� ׷� �߰� ��ȭ ��ڸ� �ݽ4ϴ�.

�� ǿ�� Ȯ�ζ�; ��մϴ�. �ٸ� Ȯ�ζ�: �� ؾ� �մϴ�.

�� ǿ�� ׸�; �� 丮 �׸� �ʵ忡 dc=subscribers, dc=example,dc=com b�̾ ǥ��մϴ�.

��' �׸� �� ʵ忡 �Ʒ� ��͸� �Է��մϴ�.

(!(unlistedSubscriber=yes))

�Ӽ� ��̺?�� homePhone, homePostalAddress �� mail �Ӽ�� ش��ϴ� Ȯ�ζ�; ��մϴ�.

SSL; ��Ͽ� ��ڸ� ��Ϸx� ��8�� ư; �� 8�� ȯ�ϰ� ��=�� LDIF ��ɹ�� authmethod=ssl; �߰��մϴ�.

(targetattr="homePostalAddress || homePhone || mail")
(version 3.0; acl "Write Subscribers"; allow (write)
(userdn= "ldap:///self") and authmethod="ssl";)

��; '�� и��Ǿ�; �� : ��ӵ� ��Դϴ�.

Ȯ��; ��ϴ�.

�׼�� f�� â�� Ͽ� �� ACI�� ߰��˴ϴ�.

�߿� ��ҿ� �� ׼�� f��

��丮�� d�Ǹ� ��Ͽ� �� ߿�� ̳� ��Ʈ��ũ �� 丮 �� Ǵ� �ٸ� �뵵�� ĺ�� ֽ4ϴ�.

�� , Ưd �ð�� Ͽ� �� Ʈ�� ִ� �ý�� κ� ��; �ĺ��Ͽ� superAdmin ��; �ۼ�� ֽ4ϴ�. �Ǵ� �1� vġ ��0; �̼�� Ưd ��Ʈ�� Ե� First Aid ��; �ۼ�� ֽ4ϴ�. �� d�Ǹ� �ۼ��ϴ� ��: �� Ҵ�; ��v�Ͻʽÿ�.

�߿�� Ǵ� ��Ͻ� ��ɿ� �� ; �ο��ϴ� �� ; �� ҿ� �� ׼�� f��ؾ� �մϴ�. �� , example.com�� : superAdmin ��; f�� ; �ڽ�� ׸� �߰�� ֽ4ϴ�. ��⿡ ��ؼ�� ACI "Roles" �� մϴ�.

ACI "Roles"

example.com ��鿡�� superAdmin ��; f�� ; �ڽ�� ׸� �߰�� ִ� ��; �ο��Ϸx� LDIF�� Ʒ� ��ɹ�; �ۼ��մϴ�.

aci: (targetattr="*") (targattrfilters="add=nsRoleDN:
(nsRoleDN !="cn=superAdmin, dc=example, dc=com")")
(version 3.0; acl "Roles"; allow (write)
userdn= "ldap:///self" and dns="*.example.com";)

�� ou=People,dc=example, dc=com �׸� ACI�� ߰��Ѵٰ� ��d�մϴ�.

��丮 �� Ž�� Ʈ�� example.com ��带 ��콺 �8�� ư8�� ˾� �޴�� ׼�� d; ��Ͽ� �׼�� f�� ڸ� ǥ��մϴ�.

�� ⸦ �� ׼�� f�� ⸦ ǥ��մϴ�.

��/�׷� �� ACI �̸� �ʵ忡 "Roles"�� Է��մϴ�. �׼�� ο�� Ͽ�� =; ��մϴ�.

�� ڸ� ��Ͽ� f�� = �߰�� ϴ�.

�� ׷� �߰� ��ȭ ��ڰ� ǥ�õ˴ϴ�.

�� ׷� �߰� ��ȭ ��ڿ�� ˻� ��; Ư�� 8�� d�ϰ� �˻� �� Ͽ�� ڽ�; ��մϴ�.

�߰� ��ư; �� ׼�� ο�� Ͽ� �ڽ�; �߰��մϴ�.

Ȯ��; �� ׷� �߰� ��ȭ ��ڸ� �ݽ4ϴ�.

�� ǿ�� Ȯ�ζ�; ��մϴ�. �ٸ� Ȯ�ζ�: �� ؾ� �մϴ�.

��ҿ� �� ͸� �ۼ��Ϸx� ��8�� ư; �� 8�� ȯ�մϴ�. LDIF ��ɹ�� κп� �Ʒ� ��; �߰��մϴ�.

(targattrfilters="add=nsRoleDN:
(nsRoleDN != "cn=superAdmin, dc=example,dc=com")")

LDIF ��ɹ�� =�� ǥ�õ˴ϴ�.

(targetattr="*") (targattrfilters="add=nsRoleDN:
(nsRoleDN != "cn=superAdmin, dc=example,dc=com")")
(target = "ldap:///dc=example,dc=com")
(version 3.0; acl "Roles"; allow (write)
(userdn = "ldap:///self") and (dns="*.example.com");)

Ȯ��; ��ϴ�.

�׼�� f�� â�� Ͽ� �� ACI�� ߰��˴ϴ�.

�׷쿡 b�̾ �� ü �׼�� ο�

��κ�� 丮�� Ưd ��; �ĺ��ϴ� �׷�� ֽ4ϴ�. �̷�� ׷쿡 ��丮�� Ǵ� �Ϻο� �� ü �׼�� ; �ο�� ֽ4ϴ�. �׷쿡 �׼�� ; ��ϸ� �� 8�� ׼�� ; ��d�� ʿ䰡 ��4ϴ�. ��ڸ� �׷쿡 �߰��ϱ⸸ �ϸ� �׼�� ; �ο�� ֽ4ϴ�.

�� , �Ϲ� ��ġ �wμ�� Ͽ� Directory Server�� ġ�ϸ� ��丮�� ü �׼�� ; �� ׷�� ⺻��8�� ۼ��˴ϴ�.

example.com�� Human Resources �׷�: ��丮�� ou=People �б⿡ �� ü �׼�� ; �� 8�Ƿ� �� 丮�� Ʈ�� ֽ4ϴ�. ��⿡ ��ؼ�� ACI "HR" �� մϴ�.

ACI "HR"

��丮�� employee �б⿡ �� ; HR �׷쿡 �ο��Ϸx� LDIF�� Ʒ� ��; ��մϴ�.

aci: (targetattr="*") (version 3.0; acl "HR"; allow (all)
groupdn= "ldap:///cn=HRgroup,ou=People,dc=example,dc=com";)

��丮 �� Ž�� Ʈ�� example.com �� Ʒ�� example.com-people �׸�; ��콺 �8�� ư8�� ˾� �޴�� ׼�� d; ��Ͽ� �׼�� f�� ڸ� ǥ��մϴ�.

�� ⸦ �� ׼�� f�� ⸦ ǥ��մϴ�.

��/�׷� �� ACI �̸� �ʵ忡 "HR"; �Է��մϴ�. �׼�� ο�� Ͽ�� =; ��մϴ�.

�� ڸ� ��Ͽ� f�� = �߰�� ϴ�.

�� ׷� �߰� ��ȭ ��ڰ� ǥ�õ˴ϴ�.

�˻� ��; �� ׷�8�� d�ϰ� �˻� �� ʵ忡 "Hrgroup"; �Է��մϴ�.

�� HR �׷��̳� �� ۼ��Ǿ� �ִٰ� ��d�մϴ�. �׷� �� ҿ� �� ڼ�� : 5��, "��̵� �� "�� v�Ͻʽÿ�.

�߰� ��ư; �� ׼�� ο�� Ͽ� HR �׷�; ǥ��մϴ�.

Ȯ��; �� ׷� �߰� ��ȭ ��ڸ� �ݽ4ϴ�.

�� ǿ�� ư; ��ϴ�.

�wϽ� ��; f�� Ȯ�ζ�� õ˴ϴ�.

Ȯ��; ��ϴ�.

�׼�� f�� â�� Ͽ� �� ACI�� ߰��˴ϴ�.

�׷� �׸� �߰� �� f �� ο�

�Ϻ� ��: �� ȿ2��; ��̰� �� Ȱ�¼� ��; �ϴ� �׸�; Ʈ�� ۼ�� ֵ�� մϴ�.

�� example.com�� ״Ͻ�, ��, ��Ű, �� ÷�� Ŭ��8�� Ȱ�� 米 �� 8�� example.com�� ̶�� Ŭ��; ��Ÿ�� ׷� �׸�; �ۼ�� ֽ4ϴ�. ��⿡ ��ؼ�� ACI "Create Group" �� մϴ�. example.com�� : �̷�� ׷� �� ϳ�� ֽ4ϴ�. ��⿡ ��ؼ�� ڰ� �׷쿡 �ڽ�; �߰� �Ǵ� f�� ֵ�� ACI "Group Members"�� մϴ�. �� ׷� ��/�ڸ� �׷� �׸�; ��d�ϰų� ��f�� ֽ4ϴ�. ��⿡ ��ؼ�� ACI "Delete Group" �� մϴ�.

ACI "Create Group"

example.com ��鿡�� ou=Social Committee �б⿡ �׷� �׸�; �ۼ�� ִ� ��; �ο��Ϸx� LDIF�� Ʒ� ��ɹ�; �ۼ��մϴ�.

aci: (target="ldap:///ou=social committee,dc=example,dc=com")
(targetattr="*")(targattrfilters="add=objectClass:
(|(objectClass=groupOfNames)(objectClass=top))")
(version 3.0; acl "Create Group"; allow (read,search,add)
userdn= "ldap:///uid=*,ou=People,dc=example,dc=com")
and dns="*.example.com";)


��	�� ACI�� ; �ο�� ʱ� �� ׸� �ۼ��ڰ� �׸�; ��d�� 4ϴ�. �� ̸鿡�� "top" ��; �߰��ϹǷ� targattrfilters Ű��忡 objectclass=top; ��d�ؾ� �մϴ�.

�� ou=social committee, dc=example,dc=com �׸� ACI�� ߰��Ѵٰ� ��d�մϴ�.

��丮 �� Ž�� Ʈ�� example.com �� Ʒ�� Social Committee �׸�; ��콺 �8�� ư8�� ˾� �޴�� ׼�� d; ��Ͽ� �׼�� f�� ڸ� ǥ��մϴ�.

�� ⸦ �� ׼�� f�� ⸦ ǥ��մϴ�.

��/�׷� �� ACI �̸� �ʵ忡 "Create Group"; �Է��մϴ�. �׼�� ο�� Ͽ�� =; ��մϴ�.

�� ڸ� ��Ͽ� f�� = �߰�� ϴ�.

�� ׷� �߰� ��ȭ ��ڰ� ǥ�õ˴ϴ�.

�˻� ��; Ư�� 8�� d�ϰ� �˻� �� Ͽ�� ڸ� ��մϴ�.

�߰� ��ư; �� ׼�� ο�� Ͽ� �� ڸ� �߰��մϴ�.

Ȯ��; �� ׷� �߰� ��ȭ ��ڸ� �ݽ4ϴ�.

�� ǿ�� б�, �˻� �� ߰� Ȯ�ζ�; ��մϴ�. �ٸ� Ȯ�ζ�: �� ؾ� �մϴ�.

�� ǿ�� ׸�; �� 丮 �׸� �ʵ忡 ou=social committee, dc=example,dc=com b�̾ ǥ��մϴ�.

�� ' Ʈ�� ׷� �׸� �߰�� ֵ�� ͸� �ۼ��Ϸx� ��8�� ư; �� 8�� ȯ�մϴ�. LDIF ��ɹ�� κп� �Ʒ� ��; �߰��մϴ�.

(targattrfilters="add=objectClass:(objectClass=groupOfNames)
|(objectClass=top)")

LDIF ��ɹ�� =�� ǥ�õ˴ϴ�.

(targetattr = "*") (targattrfilters="add=objectClass:(objectClass=groupOfNames)
|(objectClass=top)") (target="ldap:///ou=social committee,dc=example,dc=com) (version 3.0; acl "Create Group";
allow (read,search,add) (userdn= "ldap:///all") and
(dns="*.example.com"); )

Ȯ��; ��ϴ�.

�׼�� f�� â�� Ͽ� �� ACI�� ߰��˴ϴ�.

ACI "Delete Group"

example.com ��鿡�� ou=Social Committee �б⿡�� ׷� �׸�; ��d�ϰų� ��f�� ִ� ��; �ο��Ϸx� LDIF�� Ʒ� ��ɹ�; �ۼ��մϴ�.

aci: (target="ou=social committee,dc=example,dc=com)
(targetattr "*")
(targattrfilters="del=objectClass:(objectClass=groupOfNames)")
(version 3.0; acl "Delete Group"; allow (write,delete)
userattr="owner#GROUPDN";)

�� ou=social committee, dc=example,dc=com �׸� aci�� ߰��Ѵٰ� ��d�մϴ�.

�ܼ�; �� ͸� �ۼ��ϰ� �׷� ��/��; Ȯ��ؾ� �ϱ� �� ACI�� ۼ��ϴ� �� ȿ�� ƴմϴ�.

�׷��̳� ��ҿ� v�Ǻ� �׼�� ο�

�Ϲ��8�� ׷��̳� ��ҿ� ��丮�� ׼�� ; �ο��ϴ� �� ִ� ��ڸ� ��Ī�ϴ� ħ��ڵ�κ�� ش� ��; ��ȣ�ؾ� �մϴ�. �� ׷��̳� ��ҿ� �߿�� ׼�� ; �ο��ϴ� �׼�� f�� Ģ�� : v�� ϴ�.

�� , example.com: �ڻ簡 ȣ�� 񽺸� f��ϴ� �� ȸ�� Company333�� Company999�� 丮 �� ; �ۼ��߽4ϴ�. example.com: �� ȸ�簡 �ڻ� ��͸� ��ϰ� �׼�� f�� Ģ; �� ִ� ��ÿ� ħ��ڷκ�� ͸� ��ȣ�� ֱ⸦ ��մϴ�. �̷� ��/�� Company333�� Company999�� =�� : v�ǿ� ��յ� �� 丮 Ʈ�� ش� �б⿡ �� ü ��; ��4ϴ�.

�̷�� v�ǿ� ��ؼ�� ȸ�纰 ACI(ACI "Company333" �� ACI "Company999")�� մϴ�. �� ACI�� Ʒ� �� "Company333" ACI�� ؼ�� մϴ�.

ACI "Company333"

'�� õ� v��; ��f�� Company333�� 丮�� б⿡ �� ü �׼�� ; �ο��Ϸx� LDIF�� Ʒ� ��ɹ�; �ۼ��մϴ�.

aci: (target="ou=Company333,ou=corporate-clients,dc=example,dc=com")
(targetattr = "*") (version 3.0; acl "Company333"; allow (all)
(roledn="ldap:///cn=DirectoryAdmin,ou=Company333,
ou=corporate-clients,dc=example,dc=com") and (authmethod="ssl")
and (dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and
timeofday <= "1800") and (ip="255.255.123.234"); )

�� ou=Company333, ou=corporate-clients,dc=example,dc=com �׸� ACI�� ߰��Ѵٰ� ��d�մϴ�.

��丮 �� Ž�� Ʈ�� example.com �� Ʒ�� Company333 �׸�; ��콺 �8�� ư8�� ˾� �޴�� ׼�� d; ��Ͽ� �׼�� f�� ڸ� ǥ��մϴ�.

�� ⸦ �� ׼�� f�� ⸦ ǥ��մϴ�.

��/�׷� �� ACI �̸� �ʵ忡 "Company333"; �Է��մϴ�. �׼�� ο�� Ͽ�� =; ��մϴ�.

�� ڸ� ��Ͽ� f�� = �߰�� ϴ�.

�� ׷� �߰� ��ȭ ��ڰ� ǥ�õ˴ϴ�.

�˻� ��; �� ׷�8�� d�ϰ� �˻� �� ʵ忡 "DirectoryAdmin"; �Է��մϴ�.

�� cn�� DirectoryAdmin�� ۼ��Ǿ� �ִٰ� ��d�մϴ�.

�߰� ��ư; �� ׼�� ο�� Ͽ� �� ; ǥ��մϴ�.

Ȯ��; �� ׷� �߰� ��ȭ ��ڸ� �ݽ4ϴ�.

�� ǿ�� ư; ��ϴ�.

�� ǿ�� ׸�; �� 丮 �׸� �ʵ忡 ou=Company333,
ou=corporate-clients,dc=example,dc=com b�̾ ǥ��մϴ�.

ȣ��Ʈ �ǿ�� ߰�� ȣ��Ʈ �� ߰� ��ȭ ��ڸ� ǥ��մϴ�. IP �ּ� ȣ��Ʈ �� ʵ忡 255.255.123.234�� Է��մϴ�. Ȯ��; �� ȭ ��ڸ� �ݽ4ϴ�.

IP �ּҴ� Company333 ��ڰ� example.com ��丮�� ϴ� ȣ��Ʈ �ý�� /ȿ�� IP �ּҿ�� մϴ�.

�ð� �ǿ�� Ͽ�� ϱ��, �� 8�ÿ�� 6�ñ�� ش��ϴ� �ð� ��; ��մϴ�.

�� ð� ��; ��d�ϴ� �޽�� ̺� �Ʒ�� Ÿ��ϴ�.

Company333 ��ڷκ�� SSL ��; ��Ϸx� ��8�� ư; �� 8�� ȯ�մϴ�. LDIF ��ɹ�� κп� �Ʒ� ��; �߰��մϴ�.

and(authmethod="ssl")

LDIF ��ɹ�� =�� ǥ�õ˴ϴ�.

aci: (targetattr = "*")(target="ou=Company333,
ou=corporate-clients,dc=example,dc=com") (version 3.0; acl
"Company333"; allow (all) (roledn="ldap:///cn=DirectoryAdmin,
ou=Company333,ou=corporate-clients, dc=example,dc=com") and
(dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and
timeofday <= "1800") and (ip="255.255.123.234") and
(authmethod="ssl"); )

Ȯ��; ��ϴ�.

�׼�� f�� â�� Ͽ� �� ACI�� ߰��˴ϴ�.

�׼�� ź�

��丮�� ߿�� d�� 8�� 丮�� ׼�� ü��8�� ź�� ֽ4ϴ�.

�� , example.com: �� ڰ� �ڽ�� ׸񿡼� �� ð��̳� �� ܰ�� : ��f d�� ; �� ֵ�� d�� ׼�� 8�� ź��մϴ�. ��⿡ ��ؼ�� ACI "Billing Info Read" �� ACI "Billing Info Deny"�� մϴ�.

ACI "Billing Info Read"

��ڿ�� ڽ�� ׸񿡼� ��f d�� ; �� ִ� ��; �ο��Ϸx� LDIF�� Ʒ� ��ɹ�; �ۼ��մϴ�.

aci: (targetattr="connectionTime || accountBalance")
(version 3.0; acl "Billing Info Read"; allow (search,read)
userdn="ldap:///self";)

�� Ű�� ش� �Ӽ�� ۼ��Ǿ� ��8�� ou=subscribers,dc=example,
dc=com �׸� ACI�� ߰��Ѵٰ� ��d�մϴ�.

��丮 �� Ž�� Ʈ�� example.com �� Ʒ�� Subscribers �׸�; ��콺 �8�� ư8�� ˾� �޴�� ׼�� d; ��Ͽ� �׼�� f�� ڸ� ǥ��մϴ�.

�� ⸦ �� ׼�� f�� ⸦ ǥ��մϴ�.

��/�׷� �� ACI �̸� �ʵ忡 "Billing Info Read"�� Է��մϴ�. �׼�� ο�� Ͽ�� =; ��մϴ�.

�� ڸ� ��Ͽ� f�� = �߰�� ϴ�.

�� ׷� �߰� ��ȭ ��ڰ� ǥ�õ˴ϴ�.

�� ׷� �߰� ��ȭ ��ڿ�� ˻� ��; Ư�� 8�� d�ϰ� �˻� �� Ͽ�� ڽ�; ��մϴ�.

�߰� ��ư; �� ׼�� ο�� Ͽ� �ڽ�; �߰��մϴ�.

Ȯ��; �� ׷� �߰� ��ȭ ��ڸ� �ݽ4ϴ�.

�� ǿ�� ˻� �� б� �� Ȯ�ζ�; ��մϴ�. �ٸ� Ȯ�ζ�: �� ؾ� �մϴ�.

�� ǿ�� ׸�; �� 丮 �׸� �ʵ忡 ou=subscribers, dc=example,dc=com b�̾ ǥ��մϴ�. �Ӽ� ��̺?�� connectionTime �Ӽ�� accountBalance �Ӽ�� ش��ϴ� Ȯ�ζ�; ��մϴ�.

�� connectionTime �Ӽ�� accountBalance �Ӽ�� Ű�� ߰��Ǿ� �ִٰ� ��d�մϴ�.

Ȯ��; ��ϴ�.

�׼�� f�� â�� Ͽ� �� ACI�� ߰��˴ϴ�.

ACI "Billing Info Deny"

��ڿ�� ڽ�� ׸񿡼� ��f d�� d�� ִ� ��; �ο��Ϸx� LDIF�� Ʒ� ��ɹ�; �ۼ��մϴ�.

aci: (targetattr="connectionTime || accountBalance")
(version 3.0; acl "Billing Info Deny";
deny (write) userdn="ldap:///self";)

�� Ű�� ش� �Ӽ�� ۼ��Ǿ� ��8�� ou=subscribers,dc=example,dc=com �׸� ACI�� ߰��Ѵٰ� ��d�մϴ�.

��丮 �� Ž�� Ʈ�� example.com �� Ʒ�� Subscribers �׸�; ��콺 �8�� ư8�� ˾� �޴�� ׼�� d; ��Ͽ� �׼�� f�� ڸ� ǥ��մϴ�.

�� ⸦ �� ׼�� f�� ⸦ ǥ��մϴ�.

��/�׷� �� ACI �̸� �ʵ忡 "Billing Info Deny"�� Է��մϴ�. �׼�� ο�� Ͽ�� =; ��մϴ�.

�� ڸ� ��Ͽ� f�� = �߰�� ϴ�.

�� ׷� �߰� ��ȭ ��ڰ� ǥ�õ˴ϴ�.

�� ׷� �߰� ��ȭ ��ڿ�� ˻� ��; Ư�� 8�� d�ϰ� �˻� �� Ͽ�� ڽ�; ��մϴ�.

�߰� ��ư; �� ׼�� ο�� Ͽ� �ڽ�; �߰��մϴ�.

Ȯ��; �� ׷� �߰� ��ȭ ��ڸ� �ݽ4ϴ�.

�� ǿ�� Ȯ�ζ�; ��մϴ�. �ٸ� Ȯ�ζ�: �� ؾ� �մϴ�.

��8�� ư; �� ǥ�õ� LDIF ��ɹ�� allow�� deny�� մϴ�.

�� connectionTime �Ӽ�� accountBalance �Ӽ�� Ű�� ߰��Ǿ� �ִٰ� ��d�մϴ�.

Ȯ��; ��ϴ�.

�׼�� f�� â�� Ͽ� �� ACI�� ߰��˴ϴ�.

��͸�; �� d

��丮�� л�� ׸� �� ׼�� ϴ� �׼�� f� ��d�Ϸx� ��͸� ��Ͽ� ��; ��d�� ֽ4ϴ�. �˻� ��ʹ� �׼�� Ǵ� ��ü�� ̸�; ��b ��d�� 8�Ƿ� Ư�� 丮�� Ҽ�� Ǽ�� ߸�� ü�� ׼�� ; �ο��ϰų� �ź�� ֽ4ϴ�. �� ͸� �� 丮 �� ׼�� f�� fa; �ذ��ϱ� ��ƴٴ� ��a�� ֽ4ϴ�.

��ڰ� �׷쿡 �ڽ�; �߰� �Ǵ� f�� ֵ��

��κ�� 丮�� ڰ� �׷쿡 �ڽ�; �߰��ϰų� f�� ֵ�� ϴ� ACI�� d�մϴ�. �� , ��ڰ� �� Ͽ� �ڽ�; �߰��ϰų� f�� ֵ�� ̷�� ACI�� d�� ֽ4ϴ�.

example.com ��: ou=social committee ��' Ʈ�� ׷� �׸� �ڽ�; �߰�� ֽ4ϴ�. ��⿡ ��ؼ�� ACI "Group Members" �� մϴ�.

ACI "Group Members"

example.com ��鿡�� ׷쿡 �ڽ�; �߰��ϰų� ��f�� ִ� ��; �ο��Ϸx� LDIF�� Ʒ� ��ɹ�; �ۼ��մϴ�.

aci: (targettattr="member")(version 3.0; acl "Group Members";
allow (selfwrite)
(userdn= "ldap:///uid=*,ou=People,dc=example,dc=com") ;)

�� ou=social committee, dc=example,dc=com �׸� ACI�� ߰��Ѵٰ� ��d�մϴ�.

��丮 �� Ž�� Ʈ�� example.com �� Ʒ�� People �׸�; ��콺 �8�� ư8�� = �˾� �޴�� ׼�� d; ��Ͽ� �׼�� f�� ڸ� ǥ��մϴ�.

�� ⸦ �� ׼�� f�� ⸦ ǥ��մϴ�.

��/�׷� �� ACI �̸� �ʵ忡 "Group Members"�� Է��մϴ�. �׼�� ο�� Ͽ�� =; ��մϴ�.

�� ڸ� ��Ͽ� f�� = �߰�� ϴ�.

�� ׷� �߰� ��ȭ ��ڰ� ǥ�õ˴ϴ�.

�� ׷� �߰� ��ȭ ��ڿ�� ˻� ��; Ư�� 8�� d�ϰ� �˻� �� Ͽ�� ڸ� ��մϴ�.

�߰� ��ư; �� ׼�� ο�� Ͽ� �� ڸ� �߰��մϴ�.

Ȯ��; �� ׷� �߰� ��ȭ ��ڸ� �ݽ4ϴ�.

�� ǿ�� ü �� Ȯ�ζ�; ��մϴ�. �ٸ� Ȯ�ζ�: �� ؾ� �մϴ�.

�� 丮 �׸� �ʵ忡 dc=example,dc=com b�̾ �Է��մϴ�. �Ӽ� ��̺?�� member �Ӽ�� ش��ϴ� Ȯ�ζ�; ��մϴ�.

Ȯ��; ��ϴ�.

�׼�� f�� â�� Ͽ� �� ACI�� ߰��˴ϴ�.

��ǥ�� ִ� DN�� d��

��ǥ�� ִ� DN: LDIF ACI ��ɹ�� Ư�� ó��ؾ� �մϴ�. ACI ��ɹ�� ε� ��Ģ �κп�� (\)�� Ͽ� ��ǥ�� ̽��ؾ� �մϴ�. �Ʒ� �� մϴ�.

dn: o=example.com Bolivia\, S.A.
objectClass: top
objectClass: organization
aci: (target="ldap:///o=example.com Bolivia\,S.A.")
(targetattr="*") (version 3.0; acl "aci 2"; allow (all)
groupdn = "ldap:///cn=Directory Administrators,
o=example.com Bolivia\, S.A.";)

�wϽ� �� ACI ��

�wϽ� �� : �ڽ�� ̵� ��Ͽ� ��丮�� ε��ϴ� ��ڿ�� wϽ� ��; �� ٸ� �� ; �ο��ϴ� Ư�� Դϴ�.

Ŭ��̾�Ʈ �?� �wα׷�� d ��ڿ� �� ׼�� ; ��Ͽ� Accounting ��' Ʈ�� ׼��Ϸx� ��=�� : v��; ��w�ؾ� �մϴ�.

�� ACI�� 丮�� 8�� MoneyWizAcctSoftware Ŭ��̾�Ʈ �?� �wα׷�: ��丮�� ε��Ͽ� �wϽ� DN�� ׼�� ʿ�� ldapsearch �Ǵ� ldapmodify�� : LDAN ��; �� ֽ4ϴ�.

'�� Ŭ��̾�Ʈ�� ldapsearch ��; ��Ϸx� ��ɿ� ��=�� : ��Ʈ�� Ե˴ϴ�.

ldapsearch \
-D "uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com"\
-w password\
-y "uid=AcctAdministrator,ou=Administrators,dc=example,dc=com"\ ...

Ŭ��̾�Ʈ�� ڽ�8�� ε�� wϽ� �׸�� ο��Ǹ� �wϽ� �׸�� й�ȣ�� f�� ʿ䰡 ��4ϴ�.


��	��丮 �� DN: �wϽ� DN8�� 8�� 丮 ��ڿ�� wϽ� ��; �ο�� 4ϴ�. �� Directory Server�� ε� �۾�� wϽ� �� f� �� ̻� ��ϸ� Ŭ��̾�Ʈ �?� �wα׷�� 7� ��ȯ�ǰ� ��ε� �õ�� մϴ�.

/ȿ ��

��丮 �׸� �� ׼�� då; /�� d�� ACI�� ȿ� ��ġ�� ; Ȯ�� ִٸ� ū �� ˴ϴ�. Directory Server�� x ACI�� ϰ� ��d�� ׸�� Ưd ��ڿ�� ο��Ǵ� /ȿ ��; �� ֽ4ϴ�.

Directory Server�� ˻� �۾� �� ִ� "/ȿ �� " ��Ʈ�ѿ� �4��Ͽ� �׸�� Ӽ�� /ȿ �� d�� ˻� �� ȯ�մϴ�. �� ߰� d�� ׸� �� ׸� �ִ� �� Ӽ�� б� �� Ե˴ϴ�. �˻� �� ε� DN�̳� �� DN�� ; ��û�� 8�Ƿ� ��ڴ� ��丮 �� ; �׽�Ʈ�� ֽ4ϴ�.

/ȿ �� : LDAP ��Ʈ��; ��մϴ�. �� b�̾ �� /ȿ ��; ��x� �� då �� ó�� då�� Ʈ��; Ȱ��ȭ�ؾ� �մϴ�. �� ε�� wϽ� ��̵� /ȿ �� Ӽ�� ׼�� ־�� մϴ�.

/ȿ �� Ʈ�ѿ� �� ׼�� f��

/ȿ �� ü�� 丮 �۾��̹Ƿ� ��ȣ �� f�� ʿ��մϴ�.

�� d�� 丮 �� ׼�� f��Ϸx� getEffectiveRights �Ӽ�� ⺻ ACI�� d�ϰ� getEffectiveRightsInfo �Ӽ�� ACI�� մϴ�.

�� Ʒ�� ACI�� ϸ� ��丮 �� ׷�� /ȿ ��; ��; �� ֽ4ϴ�.

aci: (targetattr != "aci")(version 3.0; acl "getEffectiveRights"; allow(all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)

/ȿ �� Ʈ��

ldapsearch ��; -J "1.3.6.1.4.1.42.2.27.9.5.2" �ɼǰ� �Բ� ��Ͽ� "/ȿ �� " ��Ʈ��; ��d�մϴ�. �⺻��8�� Ʈ��: �׸�� Ӽ�� ε� DN �׸�� /ȿ ��; �˻� �� ȯ�մϴ�. �⺻ ��; ��Ϸx� ��=�� : �ɼ�; ��մϴ�.

-c �� -X �Ӽ� �� θ� �� "/ȿ �� " ��Ʈ�� OID�� -J �ɼ�� Ϲ��8�� d�ǹǷ� �� d�� ʿ䰡 ��4ϴ�. /ȿ �� Ʈ�ѿ� NULL ��; ��d�ϸ� �� ڿ� �� Ѱ� �� ldapsearch �۾�� ȯ�ϴ� �Ӽ� �� ׸� �� ˻�˴ϴ�.

�׷� ��=, �� Ѹ� �� ƴϸ� �̷�� �� ο� �Ǵ� �źεǴ�� ϴ� �ڼ�� α� d�� մϴ�. �� aclRights �Ǵ� aclRightsInfo�� ˻� �� ȯ�� Ӽ�� ߰��Ͽ� d�� /��; ��d�մϴ�. �� d�� ڼ�� α� d�� ߺ�� Ӽ�; �� û�Ͽ� /ȿ �� d�� ; �� ֽ4ϴ�.

/ȿ �� : �˻� �۾�; �� ڷκ�� ׼�� f� ��; �ִ� ��Ÿ �Ű� ��(�ð�, �� , �ý�� ּ�, �̸� ��)�� մϴ�.


��	aclRights �� aclRightsInfo �Ӽ�: �� ۵� �� Ӽ�8�� մϴ�. �� Ӽ�: ��丮�� 8�Ƿ� ��8�� û�ؾ߸� ��ȯ�˴ϴ�. Directory Server�� "/ȿ �� " ��Ʈ�ѿ� �4��Ͽ� �� Ӽ�; ��մϴ�. �̷� ��/�� Ӽ�: �� ~�� ˻� �۾��̳� ��Ϳ� �� 4ϴ�.

�Ʒ� �� �� ڰ� ��丮�� ڽ�� ; �� ִ�� ݴϴ�. �� 1: �� ο�� ;, 0: �� źε� ��; �ǹ��մϴ�.

ldapsearch -J "1.3.6.1.4.1.42.2.27.9.5.2" \
           -h rousseau.example.com -p 389 \
           -D "uid=cfuente,ou=People,dc=example,dc=com" \
           -w password -b "dc=example,dc=com" \
           "(objectclass=*)" aclRights

dn: dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: ou=Groups, dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: ou=People, dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: cn=Accounting Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: cn=HR Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: uid=bjensen,ou=People, dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: uid=cfuente, ou=People, dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:1,proxy:0

�� Carla Fuente�� ּ�� б� �� ִ� ��丮 �׸�; ��ָ� �ڽ�� ׸�; ��d�� =; ǥ��մϴ�. /ȿ �� Ʈ��: �Ϲ� �׼�� ; �� 8�Ƿ� ��ڴ� �б� �� ׸�; �� 4ϴ�. �Ʒ� �� 丮 ��ڴ� Carla Fuente�� б� �� ׸�; �� ֽ4ϴ�.

ldapsearch -h rousseau.example.com -p 389 \
           -D "cn=Directory Manager" -w password \
           -c "dn: uid=cfuente,ou=People,dc=example,dc=com" \
           -b "dc=example,dc=com" \
           "(objectclass=*)" aclRights

dn: dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: ou=Groups, dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: cn=Directory Administrators, dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:0,write:0,proxy:0

dn: ou=Special Users,dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:0,write:0,proxy:0

dn: ou=People, dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: cn=Accounting Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: cn=HR Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: uid=bjensen,ou=People, dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: uid=cfuente, ou=People, dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:1,proxy:0

'�� 丮 ��ڴ� Carla Fuente�� 丮 Ʈ�� Special Users�� Directory Administrators �б⸦ �� ٴ� ��; Ȯ�� ֽ4ϴ�. �Ʒ� �� 丮 ��ڴ� Carla Fuente�� ڽ�� ׸� �ִ� mail �Ӽ�� manager �Ӽ�; ��d�� ٴ� ��; Ȯ�� ֽ4ϴ�.

ldapsearch -h rousseau.example.com -p 389 \
           -D "cn=Directory Manager" -w password \
           -c "dn: uid=cfuente,ou=People,dc=example,dc=com" \
           -b "dc=example,dc=com" \
           "(uid=cfuente)" aclRights "*"

aclRights;attributeLevel;mail: search:1,read:1,compare:1,
write:0,selfwrite_add:0,selfwrite_delete:0,proxy:0
mail: cfuente@example.com

aclRights;attributeLevel;uid: search:1,read:1,compare:1,
write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
uid: cfuente

aclRights;attributeLevel;givenName: search:1,read:1,compare:1,
write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
givenName: Carla

aclRights;attributeLevel;sn: search:1,read:1,compare:1,
write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
sn: Fuente

aclRights;attributeLevel;cn: search:1,read:1,compare:1,
write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
cn: Carla Fuente

aclRights;attributeLevel;userPassword: search:0,read:0,
compare:0,write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
userPassword: {SSHA}wnbWHIq2HPiY/5ECwe6MWBGx2KMiZ8JmjF80Ow==

aclRights;attributeLevel;manager: search:1,read:1,compare:1,
write:0,selfwrite_add:0,selfwrite_delete:0,proxy:0
manager: uid=bjensen,ou=People,dc=example,dc=com

aclRights;attributeLevel;telephoneNumber: search:1,read:1,compare:1,
write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
telephoneNumber: (234) 555-7898

aclRights;attributeLevel;objectClass: search:1,read:1,compare:1,
write:1,selfwrite_add:1,selfwrite_delete:1,proxy:0
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson

/ȿ ��

�� d��

aclRights;entrylevel	�׸� �� d�� f��
aclRights;attributelevel	�Ӽ� �� d�� f��
aclRightsInfo;entrylevel	�׸� �� α� d�� f��
aclRightsInfo;attributelevel	�Ӽ� �� α� d�� f��

�� ׸� �� : add, delete, read, write, import, export �� proxy�Դϴ�. �� Ӽ� �� ѿ�� read, search, compare, write, selfwrite_add, selfwrite_delete �� proxy�� ֽ4ϴ�.

Write, Selfwrite_add �� Selfwrite_delete ��

Directory Server 5.2�� write �Ӽ� �� Ѹ� "?" ��; �� ֽ4ϴ�. add �� delete ��; ��Ͽ� �߰��ϰ� ��f�� ִ� �׸�: �ش� �׸�� Ӽ� �� ޶��ϴ�. "?"�� ȯ�ϴ� ��, ldapsearch �۾�� ׸� �� (0 �Ǵ� 1)�� ȯ�˴ϴ�.

write �� 1�̸� �� dn ��; f�� ߰� �� f ldapmodify �۾�; �� ֽ4ϴ�. write �� 0�̸� �� dn ��; f�� ߰� �Ǵ� ��f ldapmodify �۾�; �� 4ϴ�. �� dn �� Ǵ� ��: selfwrite �� ϳ�� selfwrite_add �Ǵ� selfwrite_delete�� 8�� ȯ�˴ϴ�.

ACI�� ̷�� ; ��ϴ� selfwrite-add �� selfwrite-delete �Ӽ� �� 8�Ƿ� ACI ��: ��d �۾�� �� �߰� �κ��̳� �� ��f �κп� �� selfwrite ��Ѹ� ��ڿ�� ο�� ֽ4ϴ�. selfwrite ��; ��Ͽ� ��d�ϴ� �Ӽ� �� dn�Դϴ�. write �� d�ϴ� �Ӽ� �� d�ǵǾ� �� 8�Ƿ� �̷� ��8�� ȭ�� 4ϴ�.

targattrfilters ACI�� /ȿ �� d�� "?" �� ǥ�õǸ� �α� d�� ڼ�� d�� Ȯ��ؾ� �մϴ�. write, selfwrite_add �� selfwrite_delete �� ȣ ~�Ӽ� ��踦 ��Ͽ�, ǥ 6-3�� v�� ǹ��ϴ� �ٸ� ��մϴ�.

ǥ 6-3 /ȿ �� ȣ ~�Ӽ�
��	selfwrite_ add	selfwrite_ delete	/ȿ ��
0	0	0	�� Ӽ��  �� ߰��ϰų� ��f�� 4ϴ�.
0	0	1	�� dn �� f�� ֽ4ϴ�.
0	1	0	�� dn �� ߰�� ֽ4ϴ�.
0	1	1	�� dn �� ߰��ϰų� ��f�� ֽ4ϴ�.
1	0	0	�� dn; f�� ; �߰��ϰų� ��f�� ֽ4ϴ�.
1	0	1	�� dn; �� �� ; ��f�� 8��, �� dn; f�� �� ; �߰�� ֽ4ϴ�.
1	1	0	�� dn; �� �� ; �߰�� 8��, �� dn; f�� �� ; ��f�� ֽ4ϴ�.
1	1	1	�� Ӽ�� ; �߰��ϰų� ��f�� ֽ4ϴ�.
?	0	0	�� dn ��; �߰��ϰų� ��f�� , �ٸ� ��; �߰��ϰų� ��f�� ֽ4ϴ�. write ��ѿ� �� ڼ�� : �α� d�� v�Ͻʽÿ�.
?	0	1	�� dn ��; ��f�� ְ� �߰�� 8��, �ٸ� ��; �߰��ϰų� ��f�� ֽ4ϴ�. write ��ѿ� �� ڼ�� : �α� d�� v�Ͻʽÿ�.
?	1	0	�� dn ��; �߰�� ְ� ��f�� 8��, �ٸ� ��; �߰��ϰų� ��f�� ֽ4ϴ�. write ��ѿ� �� ڼ�� : �α� d�� v�Ͻʽÿ�.
?	1	1	�� dn ��; �߰��ϰ� ��f�� 8��, �ٸ� �� ߰�� d�ϰų� ��f�� d�� ֽ4ϴ�. write ��ѿ� �� ڼ�� : �α� d�� v�Ͻʽÿ�.

�α� d��

/ȿ �� α� d�� Ͽ� �׼�� f�� fa; �ľ��ϰ� �� ֽ4ϴ�. �α� d�� ׼�� f� �� Ǵ� �źε� ��/�� Ÿ�� ׼�� f�� ๮�� ԵǾ� ��8��, �̸� acl_summary�� մϴ�. �׼�� f�� ๮: ��= d�� f��մϴ�.

�׼�� Ǵ� �źεǾ��

�ο��

�� ׸�

�� Ӽ�� ̸�

��û�Ǵ� �� f

�wϽÿ� �� û�� , �wϽÿ� �� û�� wϽ� �� DN

�׼�� Ǵ� �ź��ϴ� ��/(�� ߿��). �� /�� ǥ 6-4�� ŵǾ� �ֽ4ϴ�.

ǥ 6-4 /ȿ �� α� d�� / ��
�α� d�� /	��
no reason available	�׼�� Ǵ� �źε� ��/�� ϱ� '�� ִ� ��/�� 4ϴ�.
no allow acis	ACI�� 8�Ƿ� �׼�� źε˴ϴ�.
result cached deny	ĳ�õ� d�� ׼�� źΰ� ��d�Ǿ�4ϴ�.
result cached allow	ĳ�õ� d�� ׼�� d�Ǿ�4ϴ�.
evaluated allow	ACI �򰡸� �� ׼�� d�Ǿ�4ϴ�. ACI �̸�: �α� d�� ԵǾ� �ֽ4ϴ�.
evaluated deny	ACI �򰡸� �� ׼�� źΰ� ��d�Ǿ�4ϴ�. ACI �̸�: �α� d�� ԵǾ� �ֽ4ϴ�.
no acis matched the resource	�ڿ� �Ǵ� �� ġ�ϴ� ACI�� 8�Ƿ� �׼�� źε˴ϴ�.
no acis matched the subject	�׼�� f� ��û�ϴ� ��f�� ġ�ϴ� ACI�� 8�Ƿ� �׼�� źε˴ϴ�.
allow anyone aci matched anon user	userdn = "ldap:///anyone" ��f�� ACI�� ͸� ��ڿ�� ׼�� ߽4ϴ�.
no matching anyone aci for anon user	userdn= "ldap:///anyone" ��f�� ACI�� ã; �� 8�Ƿ� �͸� �� ׼�� źεǾ�4ϴ�.
user root	��ڰ� ��Ʈ DN�̹Ƿ� �׼�� ˴ϴ�.



��	�� Ӽ�: ��Ʈ�� 8�Ƿ� �� Ӽ�� write ��̳� ��õ� �α� �� d�� f�� ʽ4ϴ�.

�� ׼�� f��: ��ũ�� ACI ��

�ݺ� ��丮 Ʈ�� v�� ϴ� v�� ũ�θ� ��Ͽ� ��丮�� Ǵ� ACI �� ּ�ȭ�� ֽ4ϴ�. ��丮 Ʈ�� ACI �� ̸� �׼�� f�� då�� ACI �޸𸮸� ȿ2��8�� ֽ4ϴ�.

��ũ�δ� ACI�� DN �Ǵ� DN�� Ϻκ�; ��Ÿ�� ڸ� ǥ��Դϴ�. ��ũ�θ� ��Ͽ� ACI�� κ�, ��ε� ��Ģ �κ� �Ǵ� �� κп�� DN; ��Ÿ�� ֽ4ϴ�. ��f�� LDAP �۾�� ŵǸ� Directory Server�� ACI ��ũ�θ� LDAP �۾�� ڿ�� Ͽ� ��ġ�ϴ� ��' ��ڿ�� ִ�� Ȯ��մϴ�. ��ġ�ϴ� ��' ��ڿ�� 8�� ڿ�; ��Ͽ� ��ε� ��Ģ�� ũ�θ� Ȯ��ϰ� Ȯ�� ε� ��Ģ; ��Ͽ� �ڿ� �� ׼�� d�մϴ�.

��ũ�� ACI ��

�� 캸�� ũ�� ACI�� a�� ۵� ��; ��Ȯ�� ֽ4ϴ�. �׸� 6-4�� ũ�� ACI�� Ͽ� ȿ��8�� ü ACI �� ִ� ��丮 Ʈ�� ݴϴ�.

�� ׸�� ' �� ݺ� �� Ʈ�� v(ou=groups,ou=people)�� 4ϴ�. example.com ��丮 Ʈ�� dc=hostedCompany2,dc=example,dc=com �� dc=hostedCompany3,dc=example,dc=com b�̾ ��Ǳ� �� : Ʈ�� ü�� ݺ��˴ϴ�.

��丮 Ʈ�� Ǵ� ACI�� ݺ� �� ֽ4ϴ�. �� dc=hostedCompany1,dc=example,dc=com ��忡�� Ʒ� ACI�� ֽ4ϴ�.

aci: (targetattr="*")
(targetfilter=(objectClass=nsManagedDomain))(version 3.0;
acl "Domain access"; allow (read,search) groupdn=
"ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,
dc=example,dc=com";)

�� ACI�� DomainAdmins �׷쿡 dc=hostedCompany1,dc=example,dc=com Ʈ�� ׸� �� б� �� ˻� ��; �ο��մϴ�.

aci: (targetattr="*")
(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,
dc=example,dc=com";)

dc=subdomain1,dc=hostedCompany1,dc=example,dc=com ��忡�� Ʒ� ACI�� ֽ4ϴ�.

aci: (targetattr="*")
(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1,
dc=hostedCompany1,dc=example,dc=com";)

aci: (targetattr="*")
(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2,
dc=example,dc=com";)

dc=subdomain1,dc=hostedCompany2,dc=example,dc=com ��忡�� Ʒ� ACI�� ֽ4ϴ�.

aci: (targetattr="*")
(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,
dc=hostedCompany2,dc=example,dc=com";)

�� ACI�� /�� a: groupdn Ű��忡 ��d�� DN�Դϴ�. �� DN�� ũ�θ� ��Ͽ� dc=example,dc=com ��忡�� Ʈ�� Ʈ�� ִ� �� ACI�� ACI�� ü�� ֽ4ϴ�. �� ACI�� =�� ǥ�õ˴ϴ�.

aci: (target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search) groupdn=
"ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)

'�� ACI �� 4�� 1�� پ�4ϴ�. �� ü ��丮 Ʈ�� ݺ� �� پ��ٴ� �Ϳ� �� ū ��a�� ֽ4ϴ�.

��ũ�� ACI ��

�� ; ��ȭ�ϱ� '�� userdn, roledn, groupdn, userattr �� ε� �ڰ� ��; f��ϴ� ACI Ű��带 �� ACI�� ��f�� θ��ϴ�. ��f�� ACI�� ; ��d�մϴ�.

��ũ�� ACI�� DN �Ǵ� DN�� Ϻκ�; ��ü�ϴ� ��=�� : /�� ǥ�� Ե˴ϴ�.

�� ($dn) ��ġ

ǥ 6-5 ACI Ű�� ũ��
��ũ��	ACI Ű��
($dn)	target, targetfilter, userdn, roledn, groupdn, userattr
[$dn]	targetfilter, userdn, roledn, groupdn, userattr
($attr.attrName)	userdn, roledn, groupdn, userattr

ACI�� ִ� ($dn) ��ũ�δ� LDAP ��û�� ׸� �� ü ��; ��d�մϴ�. �� , cn=all,ou=groups,dc=subdomain1,dc=hostedCompany1,
dc=example,dc=com �׸�; ��8�� ϴ� LDAP ��û�� ; ��=�� d��ϴ� ACI�� ֽ4ϴ�.

($dn) ��ũ�δ� "dc=subdomain1, dc=hostedCompany1"�� ġ�մϴ�. �� ACI ��f�� ' ��ڿ�� ü�˴ϴ�.

��f�� ($dn) ��ü

ACI ��f�� ִ� ($dn) ��ũ�δ� ��󿡼� ��ġ�ϴ� ��ü ��' ��ڿ�� ü�˴ϴ�. �� =�� 4ϴ�.

groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1,
dc=hostedCompany1,dc=example,dc=com"

��ũ�ΰ� Ȯ��Ǹ� Directory Server�� Ϲ� �wμ�� ACI�� Ͽ� �׼�� ; �ο�� θ� ��d�մϴ�.

��f�� [$dn] ��ü


��	��ũ�� ü�� ϴ� ACI�� ǥ�� ACI�� ޸� �ݵ�� ׸�� ڽĿ� �� ׼�� ; �ο�� ʽ4ϴ�. �̴� �ڽ�� DN�� ü�� f ��ڿ�� ߸�� DN�� ۼ�� ֱ� ��Դϴ�.

[$dn]�� ü ��: ($dn)�� ణ �ٸ��ϴ�. ��ġ�� ߰�� ڿ�� DN; �� ˻��ϸ� �Ź� �� RDN �� Ҹ� ��f�մϴ�.

�� , cn=all,ou=groups, dc=subdomain1,dc=hostedCompany1,
dc=example,dc=com ��' Ʈ�� 8�� ϴ� LDAP ��û�� =�� : ACI�� ֽ4ϴ�.

aci: (targetattr="*")
(target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],
dc=example,dc=com";)

�� ($dn): dc=subdomain1,dc=hostedCompany1�� ġ�մϴ�.

��f�� [$dn]; dc=subdomain1,dc=hostedCompany1�� ü�մϴ�.

�� f�� groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,dc=hostedCompany1,dc=example,dc=com"�� ˴ϴ�. ��ε� DN�� ׷�� ̾ �׼�� ο��Ǹ� ��ũ�� Ȯ�� ߴܵǰ� ACI �򰡰� ��˴ϴ�. ��ε� DN�� ׷�� ƴϸ� �wμ�� ӵ˴ϴ�.

��f�� [$dn]; dc=hostedCompany1�� ü�մϴ�.

�� f�� groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=hostedCompany1,dc=example,dc=com"�� ˴ϴ�. �ٽ� ��ε� DN�� ׷�� ׽�Ʈ�Ͽ�, �� ACI�� մϴ�. �׷�� ƴϸ� ��ġ�� RDN�� ũ�� Ȯ�� ߴܵǰ� �� ACI�� 򰡰� �Ϸ�˴ϴ�.

[$dn] ��ũ�θ� �� ڿ�� 丮 Ʈ�� �� ��' ��ο� �� ׼�� ; /�� ְ� �ο�� ִٴ� ��a�� ֽ4ϴ�. �� ũ�δ� ��ΰ� �� 踦 ǥ�� /��մϴ�.

aci: (target="ldap:///ou=*,($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search) groupdn=
"ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)

�� ACI�� cn=DomainAdmins,ou=Groups, dc=hostedCompany1, dc=example,
dc=com �� dc=hostedCompany1�� ' ��ο� �� ׼�� ; �ο��ϹǷ� �� ׷쿡 �� ڴ� ��' Ʈ��(��: ou=people,
dc=subdomain1.1,dc=subdomain1)�� ׼�� ֽ4ϴ�.

�� ̿� ��ÿ� cn=DomainAdmins,ou=Groups, dc=subdomain1.1�� Դ� ou=people,dc=subdomain1, dc=hostedCompany1 �� ou=people,
dc=hostedCompany1 ��忡 �� ׼�� źε˴ϴ�.

($attr.attrName)�� ũ�� ġ

($attr.attrname) ��ũ�δ� �׻� DN�� f �κп�� ˴ϴ�. �� =�� : roledn; d�� ֽ4ϴ�.

roledn = "ldap:///cn=DomainAdmins,($attr.ou),dc=HostedCompany1,
dc=example,dc=com"

��f �� Ʒ� �׸�; ��8�� ϴ� LDAP �۾�; ��Ѵٰ� ��d�� ʽÿ�.

dn: cn=Babs Jensen,ou=People,dc=HostedCompany1,dc=example,dc=com
cn: Babs Jensen
sn: Jensen
ou: Sales
...

ACI�� roledn �κ�; ��ϱ� '�� ׸� �� ou �Ӽ� ��; �а� ��f�� ; ��ü�Ͽ� ��ũ�θ� Ȯ��մϴ�. �� roledn: ��=�� Ȯ��˴ϴ�.

roledn = "ldap:///cn=DomainAdmins,ou=Sales,dc=HostedCompany1,
dc=example,dc=com"

�׷� ��= Directory Server�� Ϲ� ACI �� ˰?�� ACI�� մϴ�.

��ũ�ο� ��d�� Ӽ�� ; �� ; ��ʷ� ��Ͽ� ��ũ�θ� Ȯ��ϸ� ó= ��ġ�ϴ� �׸�; f�� ˴ϴ�.

�׼�� f�� f

ACI�� ׸�� Ӽ�8�� ǹǷ� ACI�� Ե� �׸�� f�� b�̾�� Ϻ�� ACl�� ٸ� �Ӽ�� f�˴ϴ�.

ACI�� ׻� �޴� LDAP ��û; ó��ϴ� Directory Server�� 򰡵˴ϴ�. �� Ʈ ��û�� ŵǸ� �Һ�� û; ó�� ִ�� θ� ��ϱ� �� v�� ȯ�մϴ�.

�׼�� f��

��; ��Ͽ� �� 丮 Ʈ�� ϴ� �� ׼�� f�� ɹ�� ִ� Ű��忡 �� f�� ˴ϴ�. �ڼ�� : ACI f��; ��v�Ͻʽÿ�.

�� ڰ� �� b�̾ �׼��ϸ� �� ̵� �� 4ϴ�. �׼�� f�� ׻� �� 򰡵˴ϴ�. �� 򰡵Ǵ� �� LDAP �۾�: �wϽ� �� f� �� ޵� Ŭ��̾�Ʈ �?� �wα׷�� ̵� ��մϴ�. ��ڿ�� ' Ʈ�� ùٸ� �׼�� f� ��; ��쿡�� ۾�� f�� ˴ϴ�. �� =�� : �� f��; ��Ͽ� �� Ϲ�� ׼�� f� �߰�� ʿ䰡 �ֽ4ϴ�. �ڼ�� : �� b�̾ �� ׼�� f�� v�Ͻʽÿ�.

�׼�� f�� α� d��

�7� �α׿�� ׼�� f� �� d�� 8�x� �� α� ��; ��d�ؾ� �մϴ�.

�� ȣȯ��

Directory Server�� Ǿ�� Ϻ� ACI Ű�� Directory Server 5.2�� ̻� �� ʽ4ϴ�. �� ȣȯ��; '�� ̷�� Ű��嵵 �� ˴ϴ�. �� =�� 4ϴ�.

�� Ž� ��޾�ü �� Һ�� Directory Server 5.2 �� f ��; ��d�� 쿡�� ACI ��f �� f�� ߻�� ʽ4ϴ�.

�� =
Sun Java(TM) System Directory Server 5.2 2005Q1 �� ?

6�� �׼��� f�� ��

�׼��� f�� ��Ģ

ACI ��v

ACI ��ġ

ACI ��

ACI f��

�⺻ ACI

ACI ����

��� d��

��� ���丮 �׸� ��d

��� �Ӽ� ��d

��� �׸�� �Ӽ� ��� ��d

LDAP ���͸� ����� ��� �׸� �Ǵ� �Ӽ� ��d

LDAP ���͸� ����� ��� �Ӽ� �� ��d

�� ���� ���丮 �׸�; ���8�� ��d

��ũ�θ� ����Ͽ� ��� d��

���� d��

�׼��� ��� �Ǵ� �ź�

���� ��d

LDAP �۾� �ʿ��� ����

���� ����

���ε� ��Ģ

���ε� ��Ģ ����

����� �׼��� d�� - userdn Ű���

�͸� �׼���(anyone Ű���)

�Ϲ� �׼���(all Ű���)

��ü �׼���(self Ű���)

�θ� �׼���(parent Ű���)

LDAP URL

���ϵ�ī��

LDAP URL�� �?�� OR

Ưd LDAP URL f��

�׷� �׼��� d�� - groupdn Ű���

���� LDAP URL

LDAP URL�� �?�� OR

���� �׼��� d�� - roledn Ű���

�� ��ġ�� �� �׼��� d��

userattr Ű��� ���

USERDN ���ε� /��; ����� ��

GROUPDN ���ε� /��; ����� ��

ROLEDN ���ε� /��; ����� ��

LDAPURL ���ε� /��; ����� ��

�Ӽ� ���� �ִ� ��

��� ��ɰ� �Բ� userattr Ű��� ���

userattr ���; ����� ��

userattr Ű��带 ����� �߰� ���� �ο�

Ưd IP �ּҷκ����� �׼��� d��

Ưd ������8�κ����� �׼��� d��

Ưd �ð� �Ǵ� ������ �׼��� d��

���� ��� �� �׼��� d��

��

�ο� ���ε� ��Ģ ���

����ٿ��� ACI �ۼ�

ACI �Ӽ� �� ����

�ֿܼ��� ACI �ۼ�

�׸��� ACI ����

�� ACI �ۼ�

ACI ����

ACI ��f

�׼��� f�� ��� ��

�͸� �׼��� �ο�

ACI "Anonymous example.com"

ACI "Anonymous World"

���� �׸� ���� ���� �׼��� ���� �ο�

ACI "Write example.com"

ACI "Write Subscribers"

�߿� ���ҿ� ���� �׼��� f��

ACI "Roles"

�׷쿡 b�̾ ���� ��ü �׼��� ���� �ο�

ACI "HR"

�׷� �׸� �߰� �� ��f ���� �ο�

ACI "Create Group"

ACI "Delete Group"

�׷��̳� ���ҿ� v�Ǻ� �׼��� ���� �ο�

ACI "Company333"

�׼��� �ź�

ACI "Billing Info Read"

ACI "Billing Info Deny"

���͸�; ����� ��� ��d

����ڰ� �׷쿡 �ڽ�; �߰� �Ǵ� f���� �� �ֵ��� ���

6��
�׼�� f��

�׼�� f�� Ģ

ACI ��

�� d��

�� 丮 �׸� ��d

�� Ӽ� ��d

�� ׸�� Ӽ� �� d

LDAP ��͸� �� ׸� �Ǵ� �Ӽ� ��d

LDAP ��͸� �� Ӽ� �� d

�� 丮 �׸�; ��8�� d

��ũ�θ� ��Ͽ� �� d��

�� d��

�׼�� Ǵ� �ź�

�� d

LDAP �۾� �ʿ��

��

��ε� ��Ģ

��ε� ��Ģ ��

�� ׼�� d�� - userdn Ű��

�͸� �׼��(anyone Ű��)

�Ϲ� �׼��(all Ű��)

��ü �׼��(self Ű��)

�θ� �׼��(parent Ű��)

��ϵ�ī��

LDAP URL�� ?�� OR

�׷� �׼�� d�� - groupdn Ű��

�� LDAP URL

LDAP URL�� ?�� OR

�� ׼�� d�� - roledn Ű��

�� ġ�� ׼�� d��

userattr Ű��

USERDN ��ε� /��; ��

GROUPDN ��ε� /��; ��

ROLEDN ��ε� /��; ��

LDAPURL ��ε� /��; ��

�Ӽ� �� ִ� ��

�� ɰ� �Բ� userattr Ű��

userattr ��; ��

userattr Ű��带 �� ߰� �� ο�

Ưd IP �ּҷκ�� ׼�� d��

Ưd ��8�κ�� ׼�� d��

Ưd �ð� �Ǵ� �� ׼�� d��

�� ׼�� d��

�ο� ��ε� ��Ģ ��

��ٿ�� ACI �ۼ�

ACI �Ӽ� ��

�ֿܼ�� ACI �ۼ�

�׸�� ACI ��

ACI ��

�׼�� f��

�͸� �׼�� ο�

�� ׸� �� ׼�� ο�

�߿� ��ҿ� �� ׼�� f��

�׷쿡 b�̾ �� ü �׼�� ο�

�׷� �׸� �߰� �� f �� ο�

�׷��̳� ��ҿ� v�Ǻ� �׼�� ο�

�׼�� ź�

��͸�; �� d

��ڰ� �׷쿡 �ڽ�; �߰� �Ǵ� f�� ֵ��

��ǥ�� ִ� DN�� d��

�wϽ� �� ACI ��

/ȿ ��

/ȿ �� Ʈ�ѿ� �� ׼�� f��

/ȿ �� Ʈ��

/ȿ ��

�� d��

Write, Selfwrite_add �� Selfwrite_delete ��

�� ׼�� f��: ��ũ�� ACI ��

��ũ�� ACI ��

�� ($dn) ��ġ

($attr.attrName)�� ũ�� ġ

�׼�� f�� f

�׼�� f��

�׼�� f�� α� d��

�� ȣȯ��