Designing Access ControlChapter 8 Designing a Secure Directory 177• Compare — Indicates whether the data may be used in comparison operations.Compare implies the ability to search, but actual directory information is notreturned because of the search. Instead, a simple Boolean value is returned thatindicates whether the compared values match. This is used to matchuserPassword attribute values during directory authentication.• Self-write — Used only for group management. This permission allowssomeone to add to or delete themselves from a group.• Add — Indicates whether child entries can be created. This permission allowsa user to create child entries beneath the targeted entry.• Delete — Indicates whether an entry can be deleted. This permission allows auser to delete the targeted entry.• Proxy — Indicates that the user can use any other DN, except DirectoryManager, to access the directory with the rights of this DN.Bind RulesThe bind rule usually indicates the bind DN subject to the permission. It can alsospecify bind attributes such as time of day or IP address.Bind rules allow you to express easily that the ACI applies only to a user’s ownentry. You can use this to allow users to update their own entries without runningthe risk of a user updating another user’s entry.Using bind rules, you can indicate that the ACI is applicable:• Only if the bind operation is arriving from a specific IP address or DNShostname. This is often used to force all directory updates to occur from agiven machine or network domain.• If the person binds anonymously. Setting a permission for anonymous bindalso means that the permission applies to anyone who binds to the directory aswell.• For anyone who successfully binds to the directory. This allows general accesswhile preventing anonymous access.• Only if the client has bound as the immediate parent of the entry.• Only if the entry as which the person has bound meets a specific LDAP searchcriteria.The following keywords are provided to help you more easily express these kindsof access:
