Configuring the Directory Server
Configuring Security in the Directory Server
Managing Global ACIs With dsconfig
Granting Write Access to Personal Entries
Granting a Group Full Access to a Suffix
Granting Rights to Add and Delete Group Entries
Allowing Users to Add or Remove Themselves From a Group
Defining Permissions for DNs That Contain a Comma
The Get Effective Rights Control
Using the Get Effective Rights Control
Understanding Effective Rights Results
In many cases, when you grant a group privileged access to the directory, you want to ensure that those privileges are protected from intruders trying to impersonate the privileged users. Therefore, in many cases, access control rules that grant critical access to a group or role are often associated with a number of conditions.
The following sample ACI grants the Directory Administrators group full access to the corporate clients branch of the directory tree, provided the following conditions are fulfilled:
The connection is authenticated using a certificate over SSL
Access is requested between 08:00 and 18:00, Monday through Thursday
Access is requested from a specified IP address
aci: (target="ou=corporate-clients,dc=example,dc=com") (targetattr = "*") (version 3.0; acl "corporate-clients"; allow (all) (groupdn="ldap:///cn=DirectoryAdmin,ou=corporate-clients,dc=example,dc=com") and (authmethod="ssl") and (dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and timeofday <= "1800") and (ip="255.255.123.234"); )
This example assumes that the ACI is added to the ou=corporate-clients,dc=example,dc=com entry.