Chapter 6. Managing Access Control

Chapter 6. Managing Access Control

6.1. Access Control Principles
6.1.1. ACI Structure
6.1.2. ACI Placement
6.1.3. ACI Evaluation
6.1.4. ACI Limitations
6.2. Default ACIs
6.3. Creating ACIs Manually
6.3.1. The ACI Syntax
6.3.2. Defining Targets
6.3.3. Defining Permissions
6.4. Bind Rules
6.4.1. Bind Rule Syntax
6.4.2. Defining User Access - userdn Keyword
6.4.3. Defining Group Access - groupdn Keyword
6.4.4. Defining Role Access - roledn Keyword
6.4.5. Defining Access Based on Value Matching
6.4.6. Defining Access from a Specific IP Address
6.4.7. Defining Access from a Specific Domain
6.4.8. Defining Access at a Specific Time of Day or Day of Week
6.4.9. Defining Access Based on Authentication Method
6.4.10. Using Boolean Bind Rules
6.5. Creating ACIs from the Console
6.5.1. Displaying the Access Control Editor
6.5.2. Creating a New ACI
6.5.3. Editing an ACI
6.5.4. Deleting an ACI
6.6. Viewing ACIs
6.7. Get Effective Rights Control
6.7.1. Using Get Effective Rights from the Command-Line
6.7.2. Using Get Effective Rights from the Console
6.7.3. Get Effective Rights Return Codes
6.8. Logging Access Control Information
6.9. Access Control Usage Examples
6.9.1. Granting Anonymous Access
6.9.2. Granting Write Access to Personal Entries
6.9.3. Restricting Access to Key Roles
6.9.4. Granting a Group Full Access to a Suffix
6.9.5. Granting Rights to Add and Delete Group Entries
6.9.6. Granting Conditional Access to a Group or Role
6.9.7. Denying Access
6.9.8. Setting a Target Using Filtering
6.9.9. Allowing Users to Add or Remove Themselves from a Group
6.9.10. Defining Permissions for DNs That Contain a Comma
6.9.11. Proxied Authorization ACI Example
6.10. Advanced Access Control: Using Macro ACIs
6.10.1. Macro ACI Example
6.10.2. Macro ACI Syntax
6.11. Access Control and Replication
6.12. Compatibility with Earlier Releases

Red Hat Directory Server allows you to control access to your directory. This chapter describes the how to implement access control. To take full advantage of the power and flexibility of access control, while you are in the planning phase for your directory deployment, define an access control strategy as an integral part of your overall security policy.


[5] The LDAP tools referenced in this guide are Mozilla LDAP, installed with Directory Server in the /usr/lib/mozldap directory on Red Hat Enterprise Linux 5 i386; directories for other platforms are listed in Section 1.2, “LDAP Tool Locations”. However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP. It is possible to use the OpenLDAP commands as shown in the examples, but you must use the -x argument to disable SASL and allow simple authentication.


Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.