- Evolution of Solaris Naming Services
- NIS and Files Coexistence
- NIS and DNS Coexistence
- Solaris Naming Service Switch
- Solaris Naming Service Switch Architecture
- NIS Architecture Overview
- NIS Client Server Architecture
- How NIS Clients Bind to the NIS Server
- NIS Maps
- NIS High Availability Architecture Features
- NIS+ Architecture Overview
- NIS+ Client Server Architecture
- How NIS+ Clients Bind to the NIS+ Server
- NIS+ Tables
- NIS+ Interaction with DNS
- NIS+ High Availability Architecture Features
- Solaris DNS Architecture Overview
- DNS Client Architecture
- DNS Server Architecture
- DNS High Availability Features
- LDAP Architecture Overview
- LDAP Information Model
- LDAP Naming Model
- LDAP Functional Model
- LDAP Security Model
- LDAP Replication
- Comparison with Legacy Naming Services
LDAP Security Model
Access to LDAP entries on the server is protected by the rights established for the authenticated user. The rights can be assigned at the container, object, or attribute level. A portion of the DIT can be assigned stricter (or looser) control than other parts of the DIT. All entries of the same object class type can be assigned the same control. Control can also be established at the attribute level to protect certain information. For example, an employee's password might have restricted access, while other information is available to everyone.
The mechanism used to assign access rights is called the access control instruction (ACI). A single ACI can protect the entire DIT, or several can be used to provide finer-grained protection. When multiple ACIs are created, the ACIs specifying deny access takes precedence. For example, if access is granted to everyone at the top level of the DIT but denied access to ou=Contractors, then the permissions set for ou=Contractors is enforced.
ACIs are not defined in the LDAP v3 standard. Currently, each LDAP directory implementation has its own representation of ACIs.
Chapter 9, "Preventive Maintenance" discusses how ACIs are created and provides a more in-depth explanation of how they work. Establishing the correct ACI is critical to configuring the iPlanet Directory Server to support native Solaris LDAP, so Chapter 5, "Solaris 8 Native LDAP Configuration" provides examples. Note that the ACI syntax is not part of the LDAP specification, so the examples are specific to the iPlanet Directory Server implementation.