Home > Articles > Operating Systems, Server > Solaris

This chapter is from the book

LDAP Security Model

Access to LDAP entries on the server is protected by the rights established for the authenticated user. The rights can be assigned at the container, object, or attribute level. A portion of the DIT can be assigned stricter (or looser) control than other parts of the DIT. All entries of the same object class type can be assigned the same control. Control can also be established at the attribute level to protect certain information. For example, an employee's password might have restricted access, while other information is available to everyone.

The mechanism used to assign access rights is called the access control instruction (ACI). A single ACI can protect the entire DIT, or several can be used to provide finer-grained protection. When multiple ACIs are created, the ACIs specifying deny access takes precedence. For example, if access is granted to everyone at the top level of the DIT but denied access to ou=Contractors, then the permissions set for ou=Contractors is enforced.


ACIs are not defined in the LDAP v3 standard. Currently, each LDAP directory implementation has its own representation of ACIs.

Chapter 9, "Preventive Maintenance" discusses how ACIs are created and provides a more in-depth explanation of how they work. Establishing the correct ACI is critical to configuring the iPlanet Directory Server to support native Solaris LDAP, so Chapter 5, "Solaris 8 Native LDAP Configuration" provides examples. Note that the ACI syntax is not part of the LDAP specification, so the examples are specific to the iPlanet Directory Server implementation.

  • + Share This
  • 🔖 Save To Your Account