Directory-Specific Access Control Implementation
All three supported directories (that is, DirX, OpenLDAP, and Sun ONE) have complex mechanisms for controlling access, depending on the user bound to the directory.
DirX stores the access control lists in subentries that conform to the X.500 standard. You create the access control subentries by using the DirX client dirxcp. These access control subentries are replicated in a shadowing scenario.
OpenLDAP defines the access control list statically within the LDAP server configuration file umc.slapd.conf. In the case of replication, you must manually copy the access control lists into the configuration file of the slave directory.
Sun ONE stores the access control lists in the directory. Sun ONE extends the standard object class top by the optional attribute aci, which is used to store the access control lists. This means that the access control information (ACI) can be added through LDAP. The aci values are replicated to the slave directory.
DirX Directory Server
DirX access control information is stored in subentries that are from the type subentry and acceSDXontrolSubentry. These subentries include the information about the target (that is, what is controlled), precedence (that is, higher precedence overwrites lower precedence), and the access control information (that is, prescriptive ACI) that includes the user class (that is, who is affected by the control parameters) and the permissions on entry and attribute level.
Access control subentries can contain many prescriptive ACIs with a list of one or more items to be protected, such as entries and sets of operation or user attributes.
The UMCdirxa package includes a TCL file, called acldefs.tcl, which defines the following variables for the permissions:
- DAER—Deny read access on entry level
- AER—Grant read access on entry level
- AEM—Grant full access on entry level
- AEME—Grant modify access on entry level
- DAAR—Deny read access on attribute level
- AAR—Grant read rights on attribute level
- AAM—Grant modify rights on attribute level
The UMCdirxa package includes the file access.cp, which sets the access controls for the SDX software.
Figure 31 shows a TCL script with an explanation of the various parts.
OpenLDAP Directory Server
The OpenLDAP access controls are configured in the LDAP server configuration file umc.slapd.conf. The precedence of the access controls is governed by the order of appearance of the access control list in the umc.slapd.conf file. Whenever the target of the user class is fulfilled, OpenLDAP ignores the remaining access control entries. Many user classes can be added to an access control list for a target.
 |
NOTE: OpenLDAP requires write access to a parent to create a new entry. |
Because of this requirement, OpenLDAP requires more than one access control definition to implement the same access rights as in the DirX example.
Figure 32 shows a umc.slapd.conf file with an explanation of the various parts.
Sun ONE Directory Server
Access control information is stored in the aci attribute of each directory entry. Because the access control information is stored in the directory, it can be managed by means of LDIF files.
aci: (<target>) (version 3.0;aci "<name>";<permission><bind rule>;)
<target> defines the object, attribute, or filter that you are using to define what resource to control access to. The target can be a distinguished name, one or more attributes, and/or a single LDAP filter.
version 3.0 is a required string that identifies the ACI version.
aci "<name>" is a name for the ACI. <name> can be any string that identifies the ACI. The ACI name is required.
<permission> defines the actual access rights and whether they are to be allowed or denied.
<bind rules> identify the circumstances under which the directory login must occur for the ACI to take effect.
The UMCiDSa package includes the LDIF file access.ldif, which implements the SDX access control scheme.
Figure 33 shows the LDIF file for implementing the same kind of access level as previously depicted with a Sun ONE directory.
