|
|
Security
Specifying Bind Rules
The bind rule lets you specify a bind condition under which the access control
information (ACI)
rule is applied. For example, you could specify that the ACI rule is
applied only when a user binds to the directory using their distinguished name (DN).
Note: ACI rules are supported only for the iPlanet (previously Netscape) LDAP server.
Enter the bind rule in the Bind Rule field on the
Specify ACI Rule window, using one of the following forms:
- keyword = expression
- The keyword and expression must match for the statement to be true.
- keyword != expression
- The keyword and expression must not match for the statement to be true.
The possible keywords and expressions follow. For detailed information
on specifying bind rules, see the iPlanet Directory Server
Administrator's Guide.
Note: Although bind rules are usually specified as ending
with a semicolon, do not put a semicolon on the bind rules in this
field. The Administrator application adds the semicolon automatically.
userdn
The expressions that you can use with this keyword are as follows:
- userdn = "ldap:///dn"
- Specify a distinguished name or a distinguished name pattern
for dn. You may use an asterisk as a wildcard. The rule
is true if the user binds using the specified
distinguished name or pattern. For example, if you specified
userdn = "ldap:///uid=*, o=Alphalite Airways" the expression is true
if the user binds using uid=jrush, o=Alphalite Airways, but not if the user
binds using uid=jrush, ou=sales, o=Alphalite Airways.
- userdn = "ldap:///self"
- The rule is true if the user is accessing the entry for the
distinguished name that is used when binding to the directory. For example,
a user that binds as uid=jrush, o=Alphalite Airways could access the uid=jrush
object.
- userdn = "ldap:///all"
- The rule is true for any valid distinguished name that has successfully
bound to the directory.
- userdn = "ldap:///anyone"
- The rule is true for anyone. This rule permits anonymous access to
the directory.
- userdn = "ldap:///uid=dn || ldap:///uid=dn2"
- The rule is valid if the user binds using either of the specified
distinguished names. Wildcards are not allowed.
- userdn = "ldap:///o=Alphalite Airways???(ou=sales)(ou=accounting)"
- The rule is valid if the user's distinguished name is under
either ou=sales o=Alphalite Airways or ou=accounting o=Alphalite Airways.
groupdn
This keyword uses the following expression:
- groupdn = "ldap:///dn"
- This rule is true if the bind distinguished name is a member of the
group that is specified by dn. You can specify more than one group.
For example, if the rule is specified as groupdn = "ldap:///cn=managers, o=Alphalite
Airways", the rule is true if the user's distinguished name is a member
of the managers group.
userdnattr
This keyword uses the following expression:
- userdnattr = "ldap:///attribute"
- The rule is true if the bind distinguished name is the same as the
distinguished name that is specified for attribute. As an example,
consider a directory object that has uid=nking specified for the "manager" attribute
and a bind rule that is specified as userdnattr = "ldap:///manager"
User nking could bind to the directory and access the object because the
bind distinguished name matches the value of the "manager" attribute.
groupdnattr
This keyword uses the following expressions:
- groupdnattr = "ldap:///attribute"
- The rule is true if the bind distinguished name is the same as the
distinguished name that is specified for attribute. This operates
identically to the userdnattr keyword, except that the attribute
is specified on a group object.
- groupdnattr = "ldap:///dn?attribute"
- This rule is true if the bind distinguished name is the same as the
distinguished name that is specified for attribute. The group must
also be under the distinguished name that is specified by dn.
ip
This keyword uses the following expression:
- ip = "ip address"
- The rule is true if the user that is accessing the directory uses the
specified IP address. You may use asterisks as wildcards.
For example, ip = "10.15.67.*"
dns
This keyword uses the following expression:
- dns = "dns hostname"
- The rule is true if the user that is accessing the directory is located
in the specified domain. You may use asterisks as wildcards.
For example, dns = "*.alphalite.com"
timeofday
This keyword uses the following expression:
- timeofday operator "time"
- The rule is true if the time that the user accesses the directory matches
the time that is specified in the rule. Specify time in 24-hour format
(0 to 2359). Use the operator value to
specify whether the access time should be before, after, or equal to
the time that is specified in time. The possible values for operator
are given in the following examples:
- timeofday = "800" (rule is true if user logs on at 8:00 AM)
- timeofday != "1030" (rule is true if user logs on at any time other than
10:30 AM
- timeofday > "1400" (rule is true if user logs on after 2:00 PM)
- timeofday > = "1400" (rule is true if user logs on or after 2:00 PM)
- timeofday < "1100" (rule is true if user logs on before 11:00 AM)
- timeofday < = "1100" (rule is true if user logs on or before 11:00 AM)
dayofweek
This keyword uses the following expression:
- dayofweek = "day"
- The rule is true if the user accesses the directory on the specified
day (the day is determined on the server). The values for day are
Sun, Mon, Tue, Wed, Thu, Fri, and Sat.
authmethod
This keyword uses the following expression:
- authmethod = "authentication method"
- The rule is true if the user accesses the directory using the
specified authentication method. Values for authentication method are
none, ssl, and sasl sasl_mechanism. For example, the rule
authmethod = "simple" is true if the user accesses the directory using
a username and password.
|
