What is access control?
Access control lets you determine who can access the administration server and which servers and forms (also called programs) they can access. You can use two attributes for controlling access:
Users see this window when authenticating themselves to the server.
If your server doesn't use SSL encryption, the username and password that the
end user types are sent unencrypted across the network. Someone could
intercept the network packets and read the username and password being sent
to the administration server. For this reason, User-Group authentication is most
effective when combined with SSL encryption or Host-IP authentication, or
both.
Host-IP authentication
You can limit access to forms on your administration server by making them available only to people using specific computers. You specify hostnames or IP addresses for the computers that you want to allow or deny. You can use wildcard patterns to specify multiple computers or entire networks. If you want to use this feature, you must have DNS running in your network and your computer must be configured to use it.
It's possible for more than one person to have access to a particular computer.
For this reason, Host-IP authentication is most effective when combined with
User-Group authentication. If both methods of authentication are used, the end
user will have to enter a username and password before getting access.
Access control files
When you use access control on your administration server, the settings are stored in a file with the extension .acl. Access control files are stored in the directory <server_root>/<server_type>acl
where <server_type>
is the name of the server. For example, the administration server uses the directory adminacl
. Netscape Enterprise server uses httpacl
.
The administration server uses three ACL files, all located in the directory <server_root>/adminacl
:
admin-defaults.acl
is the first level of access control. This file contains the restrictions set using the distributed administration form. That is, it contains the administrators group information.
admin-serv.acl
is the main ACL file for the administration server. It contains any restrictions you set up using the Restrict Access forms.
user-environment.acl
is the ACL file that determines access for end users. There is no way to edit this file from the administration server forms. By default, this forms gives access to the end-user forms to anyone in the LDAP directory or local database (depending on which one your administration server uses).
https-www.acl
.
Version 3.0;
acl "admin-serv"
deny with file = "/usr/suitespot/adminacl/admin-denymsg.html";
deny (all)
(user = "anyone");
deny absolute (all)
group != "admin";
allow (all)The first line that starts with "deny" tells the server what file to return if a user isn't allowed access to the server. The second deny message denies everyone access, but because the rule isn't absolute (like the next one), the server continues down the list to see if the user is allowed in a subsequent line. The third line is an absolute statement that denies anyone who isn't in the "admin" group in the LDAP directory. In this case, the "admin" group is the group specified for distributed administration. The last rule explicitly allows access to the forms in the Admin Preferences section of the administration server to anyone in the "admin-reduced" group.
(group = "admin-reduced") and
(program = "Admin Preferences")
admin-serv
to set up access control for the administration server. The drop-down list contains an entry for each 3.x server you have installed in the server root.
Check the option you want, and then click Update.
Check the options you want, and then click Update.
Check the options you want, and then click Update.
distacl
in the Program Items field. For more information, see the "Access to programs" section later in this chapter.
Click Update to add the programs options to the rules for the line you're
editing.
Specifying users and groups
You can restrict access to your administration server based on the user who requests a form. The administration server uses a list of users in the administrators group (the group you set up for distributed administration) to determine access rights for the user requesting a resource. The list of users are stored either in a database on the server computer or in an LDAP server, such as Netscape Directory Server. You should make sure the database has users and the administrators group in it before you set access control.
You can allow or deny access to everyone in the administrators group, or you can allow or deny specific people by using wildcard patterns or lists of users.
To configure access control with users and groups, follow the general directions for restricting access. When you click the Users/Groups field, a form appears in the bottom frame. The following list describes the options in the form.
*.netscape.com
.
This setting doesn't affect the Host/IP setting for the administration server's superuser. That is, you can set different hostnames and IP addresses that the superuser must use when accessing the administration server.
To specify users from hostnames or IP addresses, follow the general directions for restricting access. When you click the From Host field (the link called anyplace), a form appears in the bottom frame. Check the Only from option and then type either a wildcard pattern or a comma-separated list of hostnames and IP addresses. Restricting by hostname is more flexible than by IP address--if a user's IP address changes, you won't have to update this list. Restricting by IP address, however, is more reliable--if a DNS lookup fails for a connected client, hostname restriction cannot be used.
The hostname and IP addresses should be specified with a wildcard pattern or a comma-separated list. The wildcard notations you can use are specialized; you can only use the *
. Also, for the IP address, the *
must replace an entire byte in the address. That is, 198.95.251.*
is acceptable, but 198.95.251.3*
is not. When the *
appears in an IP address, it must be the right-most character. For example, 198.*
is acceptable, but 198.*.251.30
is not.
For hostnames, the *
must also replace an entire component of the name. That is, *.netscape.com
is acceptable, but *sers.netscape.com
is not. When the *
appears in a hostname, it must be the left-most character. For example, *.netscape.com
is acceptable, but users.*.com
is not.
Access to programs
You can select areas of the administration server that administrators can access. You can choose groups of forms that appear in the top frame of the Server Manager (such as Cluster Management), or you can choose specific forms that appear as links in the left frame of the Server Manager (such as "New User" under User & Groups).
Access to programs affects the server you choose when restricting access. For example, if your administration server contains a Netscape Enterprise Server and a Netscape Collabra Server, you choose the server you want to restrict, and then you set up the access control rules for that server. In this case, you could allow some administrators to configure agents in the Netscape Enterprise Server, and then you could allow a different set of administrators to configure newsgroups in the Netscape Collabra Server.
To control access to a program in a server,
To determine the name of a form, place your pointer over the link in the
left frame of the Server Manager and then view the text in the status bar of
your browser. The last word after the + is the name for that form.
dsconfig
in the Program Items name.
Writing customized expressions
You can enter custom expressions for an ACL. You can use this feature if you are familiar with the syntax and structure of ACL files. There are a few features available only by editing the ACL file or creating custom expressions. For example, you can restrict access to your server depending on the time of day, day of the week, or both.
The following customized expression shows how you could restrict access by time of day and day of the week. This example assumes you have two groups in your LDAP directory: the "regular" group gets access Monday through Friday, 8:00am to 5:00pm. The "critical" group gets access all the time.
allow (read)
For more information on valid syntax and ACL files, see the online help.
{
(group=regular and dayofweek="mon,tue,wed,thu,fri");
(group=regular and (timeofday>=0800 and timeofday<=1700));
(group=critical)
}
Turning access control on and off
You can turn on access control depending on the server an administrator accesses. You could create and turn on access-control for a specific server on your computer and leave it off (default) for any other servers. For example, you could deny all access to the administration server's Server Manager forms only. With distributed administration on and access control off by default for any other servers, administrators could still access and configure the other servers, but they couldn't configure the administration server itself.
This access control is in addition to the user being in the administrators group
set for distributed administration. The administration server first checks that a
user (other than superuser) is in the administrators group, and then it evaluates
the access-control rules.
Responding when access is denied
You can choose the response a user sees when they are denied access. You can vary the message for each access-control object. By default, the user is sent a message that says the file wasn't found (the HTTP error code 404 Not Found is also sent).
To change what message is sent for a particular ACL: