SAS 9.1.3 Integration Technologies » Administrator's Guide (LDAP Version)


Security
Setting up Person Entries
Sun ONE and Netscape Directory Server Access Control Overview
Setting Access Permissions for an Object
Specifying Bind Rules
IBM SecureWay Directory Server Access Control Overview
Setting Access Control for Objects
Security

Specifying Bind Rules

The bind rule lets you specify a bind condition under which the access control information (ACI) rule is applied. For example, you could specify that the ACI rule is applied only when a user binds to the directory using their distinguished name (DN).

Note: ACI rules are supported only for the iPlanet (previously Netscape) LDAP server.

Enter the bind rule in the Bind Rule field on the Specify ACI Rule window, using one of the following forms:

keyword = expression
The keyword and expression must match for the statement to be true.
keyword != expression
The keyword and expression must not match for the statement to be true.

The possible keywords and expressions follow. For detailed information on specifying bind rules, see the iPlanet Directory Server Administrator's Guide.

Note: Although bind rules are usually specified as ending with a semicolon, do not put a semicolon on the bind rules in this field. The Administrator application adds the semicolon automatically.

userdn

The expressions that you can use with this keyword are as follows:

userdn = "ldap:///dn"
Specify a distinguished name or a distinguished name pattern for dn. You may use an asterisk as a wildcard. The rule is true if the user binds using the specified distinguished name or pattern. For example, if you specified userdn = "ldap:///uid=*, o=Alphalite Airways" the expression is true if the user binds using uid=jrush, o=Alphalite Airways, but not if the user binds using uid=jrush, ou=sales, o=Alphalite Airways.

userdn = "ldap:///self"
The rule is true if the user is accessing the entry for the distinguished name that is used when binding to the directory. For example, a user that binds as uid=jrush, o=Alphalite Airways could access the uid=jrush object.

userdn = "ldap:///all"
The rule is true for any valid distinguished name that has successfully bound to the directory.

userdn = "ldap:///anyone"
The rule is true for anyone. This rule permits anonymous access to the directory.

userdn = "ldap:///uid=dn || ldap:///uid=dn2"
The rule is valid if the user binds using either of the specified distinguished names. Wildcards are not allowed.

userdn = "ldap:///o=Alphalite Airways???(ou=sales)(ou=accounting)"
The rule is valid if the user's distinguished name is under either ou=sales o=Alphalite Airways or ou=accounting o=Alphalite Airways.

groupdn

This keyword uses the following expression:

groupdn = "ldap:///dn"
This rule is true if the bind distinguished name is a member of the group that is specified by dn. You can specify more than one group. For example, if the rule is specified as groupdn = "ldap:///cn=managers, o=Alphalite Airways", the rule is true if the user's distinguished name is a member of the managers group.

userdnattr

This keyword uses the following expression:

userdnattr = "ldap:///attribute"
The rule is true if the bind distinguished name is the same as the distinguished name that is specified for attribute. As an example, consider a directory object that has uid=nking specified for the "manager" attribute and a bind rule that is specified as userdnattr = "ldap:///manager" User nking could bind to the directory and access the object because the bind distinguished name matches the value of the "manager" attribute.

groupdnattr

This keyword uses the following expressions:

groupdnattr = "ldap:///attribute"
The rule is true if the bind distinguished name is the same as the distinguished name that is specified for attribute. This operates identically to the userdnattr keyword, except that the attribute is specified on a group object.

groupdnattr = "ldap:///dn?attribute"
This rule is true if the bind distinguished name is the same as the distinguished name that is specified for attribute. The group must also be under the distinguished name that is specified by dn.

ip

This keyword uses the following expression:

ip = "ip address"
The rule is true if the user that is accessing the directory uses the specified IP address. You may use asterisks as wildcards. For example, ip = "10.15.67.*"

dns

This keyword uses the following expression:

dns = "dns hostname"
The rule is true if the user that is accessing the directory is located in the specified domain. You may use asterisks as wildcards. For example, dns = "*.alphalite.com"

timeofday

This keyword uses the following expression:

timeofday operator "time"
The rule is true if the time that the user accesses the directory matches the time that is specified in the rule. Specify time in 24-hour format (0 to 2359). Use the operator value to specify whether the access time should be before, after, or equal to the time that is specified in time. The possible values for operator are given in the following examples:
  • timeofday = "800" (rule is true if user logs on at 8:00 AM)
  • timeofday != "1030" (rule is true if user logs on at any time other than 10:30 AM
  • timeofday > "1400" (rule is true if user logs on after 2:00 PM)
  • timeofday > = "1400" (rule is true if user logs on or after 2:00 PM)
  • timeofday < "1100" (rule is true if user logs on before 11:00 AM)
  • timeofday < = "1100" (rule is true if user logs on or before 11:00 AM)

dayofweek

This keyword uses the following expression:

dayofweek = "day"
The rule is true if the user accesses the directory on the specified day (the day is determined on the server). The values for day are Sun, Mon, Tue, Wed, Thu, Fri, and Sat.

authmethod

This keyword uses the following expression:

authmethod = "authentication method"
The rule is true if the user accesses the directory using the specified authentication method. Values for authentication method are none, ssl, and sasl sasl_mechanism. For example, the rule authmethod = "simple" is true if the user accesses the directory using a username and password.