Access Control Usage Examples236 Netscape Directory Server Administrator’s Guide • May 2002b. In the attribute table, tick the checkboxes for the homePhone,homePostalAddress, and mail attributes.All other checkboxes should be clear. This task is made easier if you clickthe Check None button to clear the checkoxes for all attributes in the table,then click the Name header to organize them alphabetically, and select theappropriate ones.6. If you want users to authenticate using SSL, switch to manual editing byclicking the Edit Manually button and add authmethod=ssl to the LDIFstatement so that it reads as follows:(targetattr="homePostalAddress || homePhone || mail") (version3.0; acl "Write Subscribers"; allow (write) (userdn="ldap:///self") and authmethod="ssl";)7. Click OK.The new ACI is added to the ones listed in the Access Control Managerwindow.Restricting Access to Key RolesYou can use role definitions in the directory to identify functions that are critical toyour business, the administration of your network and directory, or anotherpurpose.For example, you might create a superAdmin role by identifying a subset of yoursystem administrators that are available at a particular time of day and day of theweek at corporate sites worldwide. Or you might want to create a First Aid rolethat includes all members of staff on a particular site that have done first aidtraining. For information on creating role definitions, refer to “Using Roles,” onpage 162.When a role gives any sort of privileged user rights over critical corporate orbusiness functions, you should consider restricting access to that role. For example,at example.com, employees can add any role to their own entry, except thesuperAdmin role. This is illustrated in the ACI “Roles” example.ACI “Roles”In LDIF, to grant example.com employees the right to add any role to their ownentry, except the superAdmin role, you would write the following statement:aci: (targetattr = "nsRoleDn")(targattrfilters="add=nsRoleDN:(nsRoleDN !="cn=superAdmin,dc=example,dc=com")") (version 3.0; acl "Roles";allow (write) userdn= "ldap:///self" and dns="*.example.com";)
