Designing Access Control140 Netscape Directory Server Deployment Guide • May 2002Using Filtered Access Control RulesOne of the more powerful features of the Directory Server ACI model is the abilityto use LDAP search filters to set access control. LDAP search filters allows you toset access to any directory entry that matches a defined set of criteria.For example, you could allow read access for any entry that contains anorganizationalUnit attribute that is set to Marketing.Filtered access control rules let you use predefine levels of access. For example,suppose your directory contains home address and telephone number information.Some people want to publish this information, while others want to be “unlisted.”You can handle this situation by doing the following:• Create an attribute on every user’s directory entry calledpublishHomeContactInfo.• Set an access control rule that grants read access to the homePhone andhomePostalAddress attributes only for entries whosepublishHomeContactInfo attribute is set to TRUE (meaning enabled). Use anLDAP search filter to express the target for this rule.• Allow your directory users to change the value of their ownpublishHomeContactInfo attribute to either TRUE or FALSE. In this way, thedirectory user can decide whether this information is publicly available.For more information about using LDAP search filters, and on using LDAP searchfilters with ACIs, see the Netscape Directory Server Administrator’s Guide.Using ACIs: Some Hints and TricksThe following are some ideas that you should keep in mind when you implementyour security policy. They can help to lower the administrative burden ofmanaging your directory security model and improve your directory’sperformance characteristics.Some of the following hints have already been described earlier in this chapter.They are included here to provide you with a complete list.• Minimize the number of ACIs in your directory.Although Directory Server can evaluate over 50,000 ACIs, it is difficult tomanage a large number of ACI statements. A large number of ACIs makes ithard for you to determine immediately the directory object available toparticular clients.
