SAS® Integration Technologies: Administrator's Guide (LDAP Version)
SAS® Integration Technologies: Administrator's Guide (LDAP Version)
SAS® Integration Technologies: Administrator's Guide (LDAP Version)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>SAS®</strong> <strong>Integration</strong> <strong>Technologies</strong>: <strong>Administrator's</strong> <strong>Guide</strong> (<strong>LDAP</strong> <strong>Version</strong>)<br />
Target<br />
The target specifies the entry where ACI rule will be effective. Usually, the target is the same as the entry where the<br />
ACI attribute exists. In other words, if the ACI attribute is added to the entry with DN cn=SAS,o=SAS<br />
Institute,c=US, then the target will be ldap:///cn=SAS,o=SAS Institute,c=US. The target<br />
parameter can point at an entry which is a direct descendant, but that can become hard to manage. The parameter can<br />
also cause the server to process access control information that does not apply to the search it is carrying out.<br />
Targetattr<br />
Targetattr specifies one or more attributes that the access control information applies to. Access control rules can<br />
apply to specific attributes. This parameter provides more strict access to attributes such as userpassword.<br />
Targetfilter<br />
This is an optional parameter that can be used to apply to specific entries based on a filter. The filter has the same<br />
syntax as a filter provided to the ldapsearch command. This type of ACI rule is expensive to process and should be<br />
used sparingly.<br />
Permissions<br />
The permissions parameter consists of the version number (currently always 3.0), the ACI name, the operation (either<br />
allow or deny), the permissions and the subject to which to apply the rule (typically either a user or a group). Most<br />
ACI rules are written to allow permissions, because deny ACI rules can quickly become complex. The following<br />
permissions are supported:<br />
Read<br />
Allows data to be returned to the user<br />
Search<br />
Allows user operations to search the data<br />
Compare<br />
The user is allowed to use the data for filter comparisons<br />
Write<br />
The user may write to the data item<br />
Add<br />
The user may add the data item<br />
Delete<br />
The user may delete the data<br />
Selfwrite<br />
The user may write their own DN to the data item<br />
Some of these permission make the most sense when they are applied to an attribute. For example, allowing selfwrite<br />
of the member attribute above the area where groups are stored will allow a user to add himself to or remove himself<br />
from a group.<br />
The subject specification will normally be made using the userdn or groupdn keyword. The value will be an ldap URL<br />
with the distinguished name of the user or group. Wildcard characters can be used in the DN to specify more than one<br />
user. Also, there are two special strings: ldap:///all specifies all bound users, and ldap:///anyone specifies<br />
any users, including anonymous users. If the groupdn keyword is used, the DN points to a groupOfUniqueNames. If<br />
the DN of the bound user exists in the group as a uniqueMember attribute, the rule is applied.<br />
Sun ONE and Netscape Directory Server Access ControlOverview 229