A Multinational Enterprise and its Extranet166 Netscape Directory Server Deployment Guide • January 2002The same relationship as illustrated in Figure 8-14 exists between example.com USand example.com Asia, and between example.com Europe and example.com Asia.Security Designexample.com International builds upon its previous security design, adding thefollowing access controls to support its new multinational intranet:• example.com adds general ACIs to the root of the intranet, creating morerestrictive ACIs in each country and the branches beneath each country.• example.com decides to use macro ACIs to minimize the number of ACIs inthe directory.example.com uses a macro to represent a DN in the target or bind rule portionof the ACI. When the directory gets an incoming LDAP operation, the ACImacros are matched against the resource targeted by the LDAP operation. Ifthere is a match, the macro is replaced by the value of the DN of the targetedresource.For more information about macro ACIs, refer to the Netscape Directory ServerAdministrator’s Guide.example.com adds the following access controls to support its extranet:• example.com decides to use certificate-based authentication for all extranetactivities. When people log in to the extranet, they need a digital certificate.The directory is used to store the certificates. Because the directory stores thecertificates, users can send encrypted email by looking up public keys stored inthe directory.• example.com creates an ACI that forbids anonymous access to the extranet.This protects the extranet from denial of service attacks.• example.com wants updates to the directory data to come only from aexample.com hosted application. This means that partners and suppliers usingthe extranet can only use the tools provided by example.com. Restrictingextranet users to example.com’s preferred tools allows example.comadministrators to use the audit logs to track the use of the directory and limitsthe types of problems that can be introduced by extranet users outside ofexample.com International.