Creating ACIs Manually
Chapter 6
Managing Access Control
213
This type of filter targets whole entries. You can associate the
targetfilter
and
the
targetattr
keywords to create ACIs that apply to a subset of attributes in the
targeted entries.
The following LDIF example allows members of the Engineering Admins group to
modify the
departmentNumber
and
manager
attributes of all entries in the
Engineering business category. This example uses LDAP filtering to select all
entries with
businessCategory
attributes set to Engineering:
dn: dc=example,dc=com
objectClass: top
objectClass: organization
aci: (targetattr="departmentNumber || manager")
(targetfilter="(businessCategory=Engineering)")
(version 3.0; acl "eng-admins-write"; allow (write)
groupdn ="ldap:///cn=Engineering Admins, dc=example,dc=com";)
Targeting Attribute Values Using LDAP Filters
You can use access control to target specific attribute values. This means that you
can grant or deny permissions on an attribute if that attribute’s value meets the
criteria defined in the ACI. An ACI that grants or denies access based on an
attribute’s value is called a value-based ACI.
For example, you might grant all users in your organization permission to modify
the
nsRoleDN
attribute in their own entry. However, you would also want to
ensure that they do not give themselves certain key roles, such as “Top Level
Administrator.” LDAP filters are used to check that the conditions on attribute
values are satisfied.
To create a value-based ACI, you must use the
targattrfilters
keyword with
the following syntax:
(targattrfilters="add=
attr1
:
F1
&&
attr2
:
F2
... &&
attrn
:
Fn
,del=
attr1
:
F1
&&
attr2
:
F2
... &&
attrn
:
Fn
")
where:
TIP
Although using LDAP filters can be useful when you are targeting
entries and attributes that are spread across the directory, the results
are sometimes unpredictable because filters do not directly name the
object for which you are managing access. The set of entries targeted
by a filtered ACI is likely to change as attributes are added or
deleted. Therefore, if you use LDAP filters in ACIs, you should
verify that they target the correct entries and attributes by using the
same filter in an
ldapsearch
operation.
Summary of Contents for DIRECTORY SERVER 7.1
Page 1: ...Administrator s Guide Red Hat Directory Server Version7 1 May 2005 Updated February 2009 ...
Page 20: ...20 Red Hat Directory Server Administrator s Guide May 2005 Glossary 619 Index 635 ...
Page 22: ...22 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 26: ...26 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 78: ...Maintaining Referential Integrity 78 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 200: ...Assigning Class of Service 200 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 488: ...488 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 528: ...PTA Plug in Syntax Examples 528 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 572: ...572 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 612: ...Examples of LDAP URLs 612 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 634: ...634 Red Hat Directory Server Administrator s Guide May 2005 ...