Chapter 6. Managing Access Control
150
attributeX
is the name of the targeted attribute. For example, this targets the common name (
cn
)
attribute:
(targetattr = "cn")
To target an entry's common name, surname, and UID attributes, use the following:
(targetattr = "cn || sn || uid")
The attributes specified in the
targetattr
keyword apply to the entry that the ACI is
targeting and to all the entries below it. If you target the password attribute on the entry
uid=bjensen,ou=Marketing,dc=example,dc=com
, only the password attribute on the
bjensen
entry is affected by the ACI because it is a leaf entry.
If, however, you target the tree's branch point
ou=Marketing,dc=example,dc=com
, then all the
entries beneath the branch point that can contain a password attribute are affected by the ACI.
6.3.2.3. Targeting Both an Entry and Attributes
By default, the entry targeted by an ACI containing a
targetattr
keyword is the entry on
which the ACI is placed. That is, putting an ACI such as
aci: (targetattr = "uid")
(
access_control_rules
;)
on the
ou=Marketing,dc=example,dc=com
entry means that the ACI
applies to the entire
Marketing
subtree. However, you can also explicitly specify a target using the
target
keyword:
aci: (target="ldap:///ou=Marketing,dc=example,dc=com")(targetattr="uid")
(
access_control_rules
;)
The order in which you specify the
target
and the
targetattr
keywords is not important.
6.3.2.4. Targeting Entries or Attributes Using LDAP Filters
You can use LDAP filters to target a group of entries that match certain criteria. To do this, you must
use the
targetfilter
keyword with an LDAP filter. The syntax of the
targetfilter
keyword is as
follows:
(targetfilter = "
LDAP_filter
")
LDAP_filter
is a standard LDAP search filter. For more information on the syntax of LDAP search
filters, see
Appendix B, Finding Directory Entries
.
For example, suppose that all entries in the accounting department include the attribute-value
pair
ou=accounting
, and all entries in the engineering department include the attribute-value
pair
ou=engineering
subtree. The following filter targets all the entries in the accounting and
engineering branches of the directory tree:
(targetfilter = "(|(ou=accounting)(ou=engineering))")
This type of filter targets whole entries. You can associate the
targetfilter
and the
targetattr
keywords to create ACIs that apply to a subset of attributes in the targeted entries.
Summary of Contents for DIRECTORY SERVER 8.0
Page 18: ...xviii ...
Page 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Page 30: ...12 ...
Page 112: ...94 ...
Page 128: ...110 ...
Page 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Page 224: ...206 ...
Page 324: ...306 ...
Page 334: ...316 ...
Page 358: ...340 ...
Page 410: ...392 ...
Page 420: ...402 ...
Page 444: ...426 ...
Page 454: ...436 ...
Page 464: ...446 ...
Page 484: ...466 ...
Page 512: ...494 ...
Page 522: ...504 ...