Access controls determine who has access to a given directory entry, and what level of access is granted. "Access Control" on page 37 explains how to design an access control policy for your directory. The following sections explain how to add, modify, and delete access control rules using the Admin Console.
An access control rule defines the level of access to specific directory information given to a particular user. There are two stages to defining a new access control rule:
|
|
Specify the directory information to which the rule applies. This is the information that you want to protect. |
|
|
Specify the level of access granted to each user for this information. |
Access control rules are ordered, with the most specific rules first, followed by more general rules. The first rule in the list that matches the requested operation is applied, the following rules in the list are ignored.
 |
To Add an Access Control Rule |
AdminConsole>SUN Directory Services>LDAP Server property book>Create pulldown>Access Control
| 1. | In the Admin Console home page, click the Sun Directory Services icon to bring up the LDAP Server property book, and then choose Access Control from the Create pulldown. |
| The Create Access Control Rule window is displayed, as shown in FIGURE 6-10. |
| 2. | Specify the method of selecting information to which the new rule will apply, by doing one of the following: |
| a. | From the Selected Entries menu, select the method of specifying the entries, or choose All entries. |
| You can specify entries using a DN-based regular expression, an LDAP filter, the presence of a particular attribute, or you can specify that the rule applies to all entries. |
| If you want to protect only certain attributes within the set of entries defined by the regular expression, click the Attribute Set button and select the attributes to be protected. If you do not specify any attributes, all attributes in the specified entries are protected. |
| i. | If you selected DN-based regular expression, type the regular expression in the Distinguished name field, or click Set to use the Distinguished Name Editor to specify the regular expression. |
| See "Using the Distinguished Name Editor" on page 211 for more details. |
| ii. | If you selected LDAP filter, click the LDAP filter Set button to launch the LDAP Filter Editor. Specify the filter, and click Apply. |
| See "Specifying an LDAP Filter" on page 212 for more information. |
| b. | Type the name of an attribute to be protected in the Attributes field. |
| To see a list of attributes, click the Set button. You can specify any number of attributes. |
| 3. | Choose Access Rule from the Create menu. |
| The Add Access Rule window is displayed, as shown in FIGURE 6-11. |
| 4. | Choose the Rule type. |
| This defines the set of users to which the rule applies. You can specify a rule for Everyone, DN-based Regular Expression, Self (that is, the entity described by the entry), Address, Domain, or Member Attribute. |
| a. | If you selected DN-based Regular Expression, specify the regular expression for the set of users to which the rule applies. The rule will apply to all users who bind with a distinguished name that matches the regular expression. |
| You can type the distinguished name directly in the field, or you can click Set to use the Distinguished Name editor to construct the distinguished name. See "Using the Distinguished Name Editor" on page 211 for more information about how to specify a distinguished name. |
| b. | If you selected Address, specify an IP address. |
| The IP address can contain wildcards. The rule will apply to all users who bind from the specified IP address. |
| c. | If you selected Domain, specify a domain name. |
| The domain name can contain wildcards. The rule will apply to all users who bind from the specified domain. |
| d. | If you selected Member Attribute, specify an attribute. |
| The rule will allow to add or remove the distinguished name of the user to the list of members specified by the attribute. |
| e. | apply to all users whose directory entries contain this attribute. |
| 5. | Specify the access rights to be granted to the specified set of users. |
| 6. | Click Add to add the rule. |
| You can then define other rules for entries you have selected, as described in Step 4. When you have created all the rules for these entries, click Cancel to remove the Add User Rule window. |
| 7. | In the Create Access Control Rule window, click Add to store the new rules. |
| You can now select another set of entries and define access controls for them, as described in Step 2. |
| Configuration changes are implemented when you restart the slapd daemon. |
| |
To Modify an Access Control Rule |
AdminConsole>SUN Directory Services>LDAP Server property book>Create pulldown>Access Control
| 1. | In the Admin Console home page, click the Sun Directory Services icon to bring up the LDAP Server property book, and then choose Access Control from the Create pulldown. |
| 2. | Select the set of entries whose access control you want to modify, and choose Modify ACL from the Selected menu. |
| Tip - If you double-click a rule, the Access Control property book is displayed automatically. |
| 3. | Select the rule that you want to modify, and choose Modify Access Rule from the Selected menu. |
| The Modify User Rule window is displayed. |
| If you double-click the rule you want to modify, the Modify User Rule window is displayed automatically. |
| 4. | Make the modification you require. |
| 5. | Click OK. |
| Make any other modifications you require. When you have made all the modifications, click Cancel to remove the Modify User Rule window. |
| These changes will take effect when you restart the slapd daemon. |
| |
Delete an Access Control Rule |
AdminConsole>SUN Directory Services>LDAP Server property book>Create pulldown>Access Control
| 1. | In the Admin Console home page, click the Sun Directory Services icon to bring up the LDAP Server property book, and then choose Access Control from the Create pulldown. |
| 2. | Select the set of entries and choose Modify ACL from the Selected menu. |
| 3. | The Access Control property book is displayed. |
| 4. | Select the rule you want to delete and choose Delete Access Rule from the Selected menu. |
| To delete all access control rules for a set of entries, select the entry set and choose Delete ACL from the Selected menu. |
| You are prompted to confirm that you want to delete all access controls for the set of entries. |
| 5. | Click Apply. |
| |
Reordering Access Control Rules |
AdminConsole>SUN Directory Services>LDAP Server property book>Create pulldown>Access Control
| 1. | In the Admin Console home page, click the Sun Directory Services icon to bring up the LDAP Server property book, and then choose Access Control from the Create pulldown. |
| 2. | Select the rule you want to move. |
| 3. | Choose Move Up or Move Down from the Selected menu. |
| 4. | Click Apply to save the changes to the configuration file. |
| The changes are implemented when you restart the slapd daemon. |
Note - The Admin Console will prevent you from breaking the convention of placing the rules from the more specific to the more general.