Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

18.11. Defining Bind Rules

The bind rules in an ACI define the required bind parameters that must meet so that Directory Server applies the ACI. For example, you can set bind rules based on:
  • DNs
  • Group memberships or assigned roles
  • Locations from which an entry must bind
  • Types of authentication that must be in use during the bind
  • Times or days on which the bind occurs
In an ACI, the following highlighted part is the bind rule: 
(target_rule) (version 3.0; acl "ACL_name"; permission_rule bind_rules;)
Copy to Clipboard Toggle word wrap

Syntax

The general syntax of a bind rule is: 
keyword comparison_operator "expression"
Copy to Clipboard Toggle word wrap
  • keyword: Sets the type of the bind operation. See Section 18.11.1, “Frequently Used Bind Rules”.
  • comparison_operator: Valid values are = and != and indicate whether or not the target is the object specified in the expression. If a keyword supports additional comparison operators, it is mentioned in the corresponding section.
  • expression: Sets the expression and must be surrounded by quotation marks. The expression itself depends on the keyword you use.

18.11.1. Frequently Used Bind Rules
Link kopieren

Administrators frequently use the following bind keywords:
Additionally, bind rules are frequently combined using Boolean operators. For details, see Section 18.11.3, “Combining Bind Rules Using Boolean Operators”.

18.11.1.1. Defining User-based Access
Link kopieren

The userdn keyword enables you to grant or deny access based on one or multiple DNs and uses the following syntax: 
userdn comparison_operator "ldap:///distinguished_name || ldap:///distinguished_name || ..."
Copy to Clipboard Toggle word wrap
Set the DN in the expression to:

Note

Do not specify a host name or port number within the LDAP URL. The URL always applies to the local server.
18.11.1.1.1. Using a DN with the userdn Keyword
Link kopieren
Set the userdn keyword to a DN to apply the ACI only to the matching entry. To match multiple entries, use the * wildcard in the DN.
Using the userdn keyword with a DN must match the following syntax: 
userdn comparison_operator ldap:///distinguished_name
Copy to Clipboard Toggle word wrap

Example 18.12. Using a DN with the userdn Keyword

To enable the uid=admin,ou=People,dc=example,dc=com user to read the manager attribute of all other users in the ou=People,dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="manager") (version 3.0; acl "Allow uid=admin reading manager attribute";
 allow (search, read) userdn = "ldap:///uid=admin,ou=People,dc=example,dc=com";)
Copy to Clipboard Toggle word wrap
18.11.1.1.2. Using the userdn Keyword with an LDAP Filter
Link kopieren
If you want to dynamically allow or deny permissions to users, use the userdn keyword with an LDAP filter: 
userdn comparison_operator "ldap:///distinguished_name??scope?(filter)"
Copy to Clipboard Toggle word wrap

Note

The LDAP filter supports the * wildcard.

Example 18.13. Using the userdn Keyword with an LDAP Filter

To enable users who have the department attribute set to Human Resources to update the homePostalAddress attribute of users in the ou=People,dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="homePostalAddress") (version 3.0;
 acl "Allow HR setting homePostalAddress"; allow (write)
 userdn = "ldap:///ou=People,dc=example,dc=com??sub?(department=Human Resources)";)
Copy to Clipboard Toggle word wrap
18.11.1.1.3. Granting Anonymous Access
Link kopieren
In certain situations, administrators want to configure anonymous access to data in the directory. Anonymous access means that it is possible to bind to the directory by providing:
  • No bind DN and password
  • A valid bind DN and password
To configure anonymous access, use the ldap:///anyone expression with the userdn keyword in a bind rule: 
userdn comparison_operator "ldap:///anyone"
Copy to Clipboard Toggle word wrap

Example 18.14. Granting Anonymous Access

To enable anyone without authentication to read and search the sn, givenName, and telephoneNumber attributes in the ou=People,dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="sn" || targetattr="givenName" || targetattr = "telephoneNumber")
 (version 3.0; acl "Anonymous read, search for names and phone numbers";
 allow (read, search) userdn = "ldap:///anyone";)
Copy to Clipboard Toggle word wrap
18.11.1.1.4. Granting Access to Authenticated Users
Link kopieren
In certain situations, administrators want to grant permission to any user who is able to successfully bind to Directory Server, except anonymous binds. To configure this feature, use the ldap:///all expression with the userdn keyword in a bind rule: 
userdn comparison_operator "ldap:///all"
Copy to Clipboard Toggle word wrap

Example 18.15. Granting Access to Authenticated Users

To enable authenticated users to add and remove themselves as a member to or from the ou=example,ou=groups,dc=example,dc=com group: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=example,ou=Groups,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="member") (version 3.0;
 acl "Allow users to add/remove themselves from example group";
 allow (selfwrite) userdn = "ldap:///all";)
Copy to Clipboard Toggle word wrap
18.11.1.1.5. Enabling Users to Access Their Own Entries
Link kopieren
To set ACIs which allow or deny access to users to their own entry, use the ldap:///self expression with the userdn keyword in a bind rule: 
userdn comparison_operator "ldap:///self"
Copy to Clipboard Toggle word wrap

Example 18.16. Enabling Users to Access Their Own Entries

To enable users in the ou=People,dc=example,dc=com entry to update their own userPassword attribute: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="userPassword") (version 3.0;
 acl "Allow users updating their password";
 allow (write) userdn = "ldap:///self";)
Copy to Clipboard Toggle word wrap
18.11.1.1.6. Setting Access for Child Entries of a User
Link kopieren
To specify that users are granted or denied access to an entry only if their bind DN is the parent of the targeted entry, use the self:///parent expression with the userdn keyword in a bind rule: 
userdn comparison_operator "ldap:///parent"
Copy to Clipboard Toggle word wrap

Example 18.17. Setting Access for Child Entries of a User

To enable the cn=user,ou=People,dc=example,dc=com user to update the manager attribute of its own sub-entries, such as cn=example,cn=user,ou=People,dc=example,dc=com: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: cn=user,ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="manager") (version 3.0;
 acl "Allow cn=user to update manager attributes";
 allow (write) userdn = "ldap:///parent";)
Copy to Clipboard Toggle word wrap

18.11.1.2. Defining Group-based Access
Link kopieren

Group-based ACIs enable you to manage access by adding or removing users to or from a group. To configure an ACI that is based on a group membership, use the groupdn keyword. If the user is a member of one or multiple of the specified groups, the ACI matches.
When using the groupdn keyword, Directory Server verifies the group membership based on the following attributes:
  • member
  • uniqueMember
  • memberURL
  • memberCertificateDescription
Bind rules with the groupdn keyword use the following syntax: 
groupdn comparison_operator "ldap:///distinguished_name || ldap:///distinguished_name || ..."
Copy to Clipboard Toggle word wrap
Set the DN in the expression to:
If you set multiple DNs in one bind rule, Directory Server applies the ACI if the authenticated user is a member of one of these groups. To set the user as a member of multiple groups, use multiple groupdn keywords and combine them using the Boolean and operator. For details, see Section 18.11.3, “Combining Bind Rules Using Boolean Operators”.

Note

Do not specify a host name or port number within the LDAP URL. The URL always applies to the local server.
18.11.1.2.1. Using a DN with the groupdn Keyword
Link kopieren
To apply an ACI to members of a group, set the groupdn keyword to the group's DN.
The groupdn keyword set to a DN uses the following syntax: 
groupdn comparison_operator ldap:///distinguished_name
Copy to Clipboard Toggle word wrap

Example 18.18. Using a DN with the groupdn Keyword

To enable members of the cn=example,ou=Groups,dc=example,dc=com group to search and read the manager attribute of entries in ou=People,dc=example,dc=com: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="manager") (version 3.0;
 acl "Allow example group to read manager attribute";
 allow (search, read) groupdn = "ldap:///cn=example,ou=Groups,dc=example,dc=com";)
Copy to Clipboard Toggle word wrap
18.11.1.2.2. Using the groupdn Keyword with an LDAP Filter
Link kopieren
Using an LDAP filter with the groupdn keyword, you can define that the authenticated user must be a member of at least one of the groups that the filter search returns, to match the ACI.
The groupdn keyword with an LDAP filter uses the following syntax: 
groupdn comparison_operator "ldap:///distinguished_name??scope?(filter)"
Copy to Clipboard Toggle word wrap

Note

The LDAP filter supports the * wildcard.

Example 18.19. Using the groupdn Keyword with an LDAP Filter

To enable members of groups in dc=example,dc=com and subtrees, which have the manager attribute set to example, update the homePostalAddress of entries in ou=People,dc=example,dc=com: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="homePostalAddress") (version 3.0;
 acl "Allow manager=example setting homePostalAddress"; allow (write)
 userdn = "ldap:///dc=example,dc=com??sub?(manager=example)";)
Copy to Clipboard Toggle word wrap

18.11.2. Further Bind Rules
Link kopieren

This section describes bind rules that are less-frequently used.

18.11.2.1. Defining Access Based on Value Matching
Link kopieren

Use the userattr keyword in a bind rule to specify which attribute must match between the entry used to bind to the directory and the targeted entry.
The userattr keyword uses the following syntax: 
userattr comparison_operator "attribute_name#bind_type_or_attribute_value
Copy to Clipboard Toggle word wrap
For further details, see:

Important

By default, Directory Server evaluates access rights on the entry they are created. However, to prevent user objects on the same level, Directory Server does not grant add permissions to the entry where you set the ACI, when using the userattr keyword. To configure this behavior, use the userattr keyword in conjunction with the parent keyword and grant the permission additionally on level 0.
For details about inheritance, see Section 18.11.2.1.6, “Using the userattr Keyword with Inheritance”.
18.11.2.1.1. Using the USERDN Bind Type
Link kopieren
To apply an ACI when the binding user DN matches the DN stored in an attribute, use the USERDN bind type.
The userattr keyword with the USERDN bind type requires the following syntax: 
userattr comparison_operator "attribute_name#USERDN"
Copy to Clipboard Toggle word wrap

Example 18.20. Using the USERDN Bind Type

To grant a manager all permissions to the telephoneNumber attribute of its own associates: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "telephoneNumber")
 (version 3.0; acl "Manager: telephoneNumber";
 allow (all) userattr = "manager#USERDN";)
Copy to Clipboard Toggle word wrap
The previous ACI is evaluated to be true if the DN of the user who performs the operation on an entry in ou=People,dc=example,dc=com, matches the DN stored in the manager attribute of this entry.
18.11.2.1.2. Using the GROUPDN Bind Type
Link kopieren
To apply an ACI when the binding user DN is a member of a group set in an attribute, use the GROUPDN bind type.
The userattr keyword with the GROUPDN bind type requires the following syntax: 
userattr comparison_operator "attribute_name#GROUPDN"
Copy to Clipboard Toggle word wrap

Example 18.21. Using the GROUPDN Bind Type

To grant users the permission to delete a group entry which they own under the ou=Social Committee,ou=Groups,dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=Social Committee,ou=Groups,dc=example,dc=com
changetype: modify
add: aci
aci: (target="ou=Social Committee,ou=Groups,dc=example,dc=com)
 (targattrfilters="del=objectClass:(objectClass=groupOfNames)")
 (version 3.0; acl "Delete Group";
 allow (delete) userattr = "owner#GROUPDN";)
Copy to Clipboard Toggle word wrap
The previous ACI is evaluated to be true if the DN of the user who performs the operation is a member of the group specified in the owner attribute.
The specified group can be a dynamic group, and the DN of the group can be under any suffix in the database. However, the evaluation of this type of ACI by the server is very resource-intensive.
If you are using static groups that are under the same suffix as the targeted entry, use the following expression for better performance: 
userattr comparison_operator "ldap:///distinguished_name?attribute_name#GROUPDN"
Copy to Clipboard Toggle word wrap
18.11.2.1.3. Using the ROLEDN Bind Type
Link kopieren
To apply an ACI when the binding user belongs to a role specified in an attribute, use the ROLEDN bind type.
The userattr keyword with the ROLEDN bind type requires the following syntax: 
userattr comparison_operator "attribute_name#ROLEDN"
Copy to Clipboard Toggle word wrap

Example 18.22. Using the ROLEDN Bind Type

To enable users with the cn=Administrators,dc=example,dc=com role to search and read the manager attribute of entries in ou=People,dc=example,dc=com: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (version 3.0; acl "Allow example role owners to read manager attribute";
 allow (search, read) userattr = manager#ROLEDN;)
Copy to Clipboard Toggle word wrap
The specified role can be under any suffix in the database. If you are also using filtered roles, the evaluation of this type of ACI uses a lot of resources on the server.
If you are using a static role definition and the role entry is under the same suffix as the targeted entry, use the following expression for better performance:
18.11.2.1.4. Using the SELFDN Bind Type
Link kopieren
The SELFDN bind type enables you to grant permissions, when the bound user's DN is set in a single-value attribute of the entry.
The userattr keyword with the SELFDN bind type requires the following syntax: 
userattr comparison_operator "attribute_name#SELFDN"
Copy to Clipboard Toggle word wrap

Example 18.23. Using the SELFDN Bind Type

To enable a user to add ipatokenuniqueid=*,cn=otp,dc=example,dc=com entries that have the bind user's DN set in the ipatokenOwner attribute: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=otp,dc=example,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///ipatokenuniqueid=*,cn=otp,dc=example,dc=com")
 (targetfilter = "(objectClass=ipaToken)")(version 3.0;
 acl "token-add-delete"; allow (add) userattr = "ipatokenOwner#SELFDN";)
Copy to Clipboard Toggle word wrap
18.11.2.1.5. Using the LDAPURL Bind Type
Link kopieren
To apply an ACL when the bind DN matches the filter specified in an attribute of the targeted entry, use the LDAPURL bind type.
The userattr keyword with the LDAPURL bind type requires the following syntax: 
userattr comparison_operator "attribute_name#LDAPURL"
Copy to Clipboard Toggle word wrap

Example 18.24. Using the LDAPURL Bind Type

To grant read and search permissions to user objects which contain the aciurl attribute set to ldap:///ou=People,dc=example,dc=com??one?(uid=user*): 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "*")
 (version 3.0; acl "Allow read,search "; allow (read,search)
 (userattr = "aciurl#LDAPURL);)
Copy to Clipboard Toggle word wrap
18.11.2.1.6. Using the userattr Keyword with Inheritance
Link kopieren
When you use the userattr keyword to associate the entry used to bind with the target entry, the ACI applies only to the target specified and not to the entries below it. In certain situations, administrators want to extend the application of the ACI several levels below the targeted entry. This is possible by using the parent keyword and specifying the number of levels below the target that should inherit the ACI.
When using the userattr keyword with the parent keyword, the syntax is as follows: 
userattr comparison_operator "parent[inheritance_level].attribute_name#bind_type_or_attribute_value
Copy to Clipboard Toggle word wrap
  • inheritance_level: Comma-separated list that indicates how many levels below the target inherit the ACI. You can include five levels (0, 1, 2, 3, 4) below the targeted entry. Zero (0) indicates the targeted entry.
  • attribute_name: The attribute targeted by the userattr or groupattr keyword.
  • bind_type_or_attribute_value: Sets the attribute value or a bind type, such as USERDN.
For example: 
userattr = "parent[0,1].manager#USERDN"
Copy to Clipboard Toggle word wrap
This bind rule is evaluated to be true if the bind DN matches the manager attribute of the targeted entry. The permissions granted when the bind rule is evaluated to be true apply to the target entry and to all entries immediately below it.

Example 18.25. Using the userattr Keyword with Inheritance

To enable a user to read and search the cn=Profiles,dc=example,dc=com entry where the user's DN is set in the owner attribute, as well as the first level of child entries which includes cn=mail,cn=Profiles,dc=example,dc=com and cn=news,cn=Profiles,dc=example,dc=com: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: cn=Profiles,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="*") (version 3.0; acl "Profile access",
 allow (read,search) userattr="parent[0,1].owner#USERDN" ;)
Copy to Clipboard Toggle word wrap

18.11.2.2. Defining Access from Specific IP Addresses or Ranges
Link kopieren

The ip keyword in a bind rule enables you to grant or deny access from a specific IP address or a range of IP addresses.
Bind rules with the ip keyword use the following syntax: 
ip comparison_operator "IP_address_or_range"
Copy to Clipboard Toggle word wrap

Example 18.26. Using IPv4 Address Ranges in Bind Rules

To deny access from the 192.0.2.0/24 network to the dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "*") (version 3.0;acl "Deny 192.0.2.0/24"; deny (all)
 (userdn = "ldap:///anyone") and (ip != "192.0.2.");)
Copy to Clipboard Toggle word wrap

Example 18.27. Using IPv6 Address Ranges in Bind Rules

To deny access from the 2001:db8::/64 network to the dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "*") (version 3.0;acl "Deny 2001:db8::/64"; deny (all)
 (userdn = "ldap:///anyone") and (ip != "2001:db8::");)
Copy to Clipboard Toggle word wrap

18.11.2.3. Defining Access from a Specific Host or Domain
Link kopieren

The dns keyword in a bind rule enables you to grant or deny access from a specific host or domain.

Warning

If Directory Server cannot resolve a connecting IP address to its Fully Qualified Domain Name (FQDN) using DNS, the server does not apply ACIs with the dns bind rule for this client.
If client IP addresses are not resolvable using DNS, use the ip keyword and IP addresses instead. See Section 18.11.2.2, “Defining Access from Specific IP Addresses or Ranges”.
Bind rules with the dns keyword use the following syntax: 
dns comparison_operator "host_name_or_domain_name"
Copy to Clipboard Toggle word wrap

Example 18.28. Defining Access from a Specific Host

To deny access from the client.example.com host to the dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "*") (version 3.0;acl "Deny client.example.com"; deny (all)
 (userdn = "ldap:///anyone") and (dns != "client.example.com");)
Copy to Clipboard Toggle word wrap

Example 18.29. Defining Access from a Specific Domain

To deny access from all hosts within the example.com domain to the dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "*") (version 3.0;acl "Deny example.com"; deny (all)
 (userdn = "ldap:///anyone") and (dns != "*.example.com");)
Copy to Clipboard Toggle word wrap

18.11.2.4. Requiring a Certain Level of Security in Connections
Link kopieren

The security of a connection is determined by its Security Strength Factor (SSF), which sets the minimum key strength required to process operations. Using the ssf keyword in a bind rule, you can set that a connection must use a certain level of security. This enables you to force operations, for example password changes, to be performed over an encrypted connection.
The value for the SSF for any operation is the higher of the values between a TLS connection and a SASL bind. This means that if a server is configured to run over TLS and a replication agreement is configured for SASL/GSSAPI, the SSF for the operation is whichever available encryption type is more secure.
Bind rules with the ssf keyword use the following syntax: 
ssf comparison_operator key_strength
Copy to Clipboard Toggle word wrap
You can use the following comparison operators:
  • = (equal to)
  • ! (not equal to)
  • < (less than)
  • > (greater than)
  • <= (less than or equal to)
  • >= (greater than or equal to)
If the key_strength parameter is set to 0, no secure operation is required for the LDAP operation.

Example 18.30. Requiring a Certain Level of Security in Connections

To configure that users in the dc=example,dc=com entry can only update their userPassword attribute when the SSF is 128 or higher: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "userPassword") (version 3.0;
 acl "Allow users updating own userPassword";
 allow (write) (userdn = "ldap:///self") and (ssf >= "128");)
Copy to Clipboard Toggle word wrap

18.11.2.5. Defining Access at a Specific Day of the Week
Link kopieren

The dayofweek keyword in a bind rule enables you to grant or deny access based on the day of the week.

Note

Directory Server uses the time on the server to evaluate the ACI; not the time on the client.
Bind rules with the dayofweek keyword use the following syntax: 
dayofweek comparison_operator "comma-separated_list_of_days"
Copy to Clipboard Toggle word wrap

Example 18.31. Granting Access on Specific Days of the Week

To deny access for the uid=user,ou=People,dc=example,dc=com user entry to bind to the server on Saturdays and Sundays: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (version 3.0; acl "Deny access on Saturdays and Sundays";
 deny (all)
 (userdn = "ldap:///uid=user,ou=People,dc=example,dc=com") and
 (dayofweek = "Sun,Sat");)
Copy to Clipboard Toggle word wrap

18.11.2.6. Defining Access at a Specific Time of Day
Link kopieren

The timeofday keyword in a bind rule enables you to grant or deny access based on the time of day.

Note

Directory Server uses the time on the server to evaluate the ACI; not the time on the client.
Bind rules with the timeofday keyword use the following syntax: 
timeofday comparison_operator "time"
Copy to Clipboard Toggle word wrap
You can use the following comparison operators:
  • = (equal to)
  • ! (not equal to)
  • < (less than)
  • > (greater than)
  • <= (less than or equal to)
  • >= (greater than or equal to)

Important

The timeofday keyword requires that you specify the time in 24-hour format.

Example 18.32. Defining Access at a Specific Time of a Day

To deny access for the uid=user,ou=People,dc=example,dc=com user entry to bind to the server between 6pm and 0am: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
 aci: (version 3.0; acl "Deny access between 6pm and 0am";
 deny (all)
 (userdn = "ldap:///uid=user,ou=People,dc=example,dc=com") and
 (timeofday >= "1800" and timeofday < "2400");)
Copy to Clipboard Toggle word wrap

18.11.2.7. Defining Access Based on the Authentication Method
Link kopieren

The authmethod keyword in a bind rule sets what authentication method a client must use when connecting to the server, to apply the ACI.
Bind rules with the authmethod keyword use the following syntax: 
authmethod comparison_operator "authentication_method"
Copy to Clipboard Toggle word wrap
You can set the following authentication methods:
  • none: Authentication is not required and represents anonymous access. This is the default.
  • simple: The client must provide a user name and password to bind to the directory.
  • SSL: The client must bind to the directory using a TLS certificate either in a database, smart card, or other device. For details about certificate-based authentication, see Section 9.9, “Using Certificate-based Client Authentication”.
  • SASL: The client must bind to the directory over a Simple Authentication and Security Layer (SASL) connection. When you use this authentication method in a bind rule, additionally specify the SASL mechanism, such as EXTERNAL.

Example 18.33. Enabling Access Only for Connections Using the EXTERNAL SASL Authentication Method

To deny access to the server if the connection does not use a certificate-based authentication method or SASL: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (version 3.0; acl "Deny all access without certificate"; deny (all)
 (authmethod = "none" or authmethod = "simple");)
Copy to Clipboard Toggle word wrap

18.11.2.8. Defining Access Based on Roles
Link kopieren

The roledn keyword in a bind rule enables you to grant or deny access to users having one or multiple role sets.

Note

Red Hat recommends using groups instead of roles. For further details about roles and limitations, see Section 8.2.1, “About Roles”.
Bind rules with the roledn keyword use the following syntax: 
roledn comparison_operator "ldap:///distinguished_name || ldap:///distinguished_name || ..."
Copy to Clipboard Toggle word wrap

Note

If a DN contains a comma, escape the comma with a backslash.

Example 18.34. Defining Access Based on Roles

To enable users that have the cn=Human Resources,ou=People,dc=example,dc=com role set in the nsRole attribute to search and read the manager attribute of entries in ou=People,dc=example,dc=com: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="manager") (version 3.0;
 acl "Allow manager role to update manager attribute";
 allow (search, read) roledn = "ldap:///cn=Human Resources,ou=People,dc=example,dc=com";)
Copy to Clipboard Toggle word wrap

18.11.3. Combining Bind Rules Using Boolean Operators
Link kopieren

When creating complex bind rules, the AND, OR, and NOT Boolean operators enable you to combine multiple keywords.
Bind rules combined with Boolean operators have the following syntax: 
bind_rule_1 boolean_operator bind_rule_2...
Copy to Clipboard Toggle word wrap

Example 18.35. Combining Bind Rules Using Boolean Operators

To configure that users which are member of both the cn=Administrators,ou=Groups,dc=example,com and cn=Operators,ou=Groups,dc=example,com group can read, search, add, update, and delete entries in ou=People,dc=example,dc=com: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///ou=People,dc=example,dc=com") (version 3.0;
 acl "Allow members of administrators and operators group to manage users";
 allow (read, search, add, write, delete)
 groupdn = "ldap:///cn=Administrators,ou=Groups,dc=example,com" AND
 groupdn = "ldap:///cn=Operators,ou=Groups,dc=example,com";)
Copy to Clipboard Toggle word wrap

How Directory Server Evaluates Boolean Operators

Directory Server evaluates Boolean operators by using the following rules:
  • All expressions from left to right.
    In the following example, bind_rule_1 is evaluated first: 
    (bind_rule_1) OR (bind_rule_2)
    Copy to Clipboard Toggle word wrap
  • From innermost to outermost parenthetical expressions first.
    In the following example, bind_rule_2 is evaluated first and bind_rule_3 second: 
    (bind_rule_1) OR ((bind_rule_2) AND (bind_rule_3))
    Copy to Clipboard Toggle word wrap
  • NOT before AND or OR operators.
    In the following example, bind_rule_2 is evaluated first: 
    (bind_rule_1) AND NOT (bind_rule_2)
    Copy to Clipboard Toggle word wrap
    The AND and OR operators have no order of precedence.
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat