Defining Role Access - roledn Keyword
161
Scenario
Example
Description
directory tree, you would create the following ACI on the
dc=example,dc=com
node:
aci: (version 3.0; acl "Administrators-write"; allow (write)
groupdn="ldap:///cn=Administrators,dc=example,dc=com";)
Groupdn keyword containing logical OR of LDAP URLs
groupdn = "ldap:///
cn=Administrators,dc=example,dc=com"
|| "ldap:///cn=Mail
Administrators,dc=example,dc=com";
The bind rule is evaluated to be true if the bind DN belongs to
either the
Administrators
or the
Mail Administrators
group.
Table 6.5. groupdn Examples
6.4.4. Defining Role Access - roledn Keyword
Members of a specific role can access a targeted resource. This is known as
role access
. Role access
is defined using the
roledn
keyword to specify that access to a targeted entry is granted or denied if
the user binds using a DN that belongs to a specific role.
The
roledn
keyword requires one or more valid distinguished names in the following format :
roledn = "ldap:///
dn
[|| ldap:///
dn
]... [|| ldap:///
dn
]"
The bind rule is evaluated to be true if the bind DN belongs to the specified role.
NOTE
If a DN contains a comma, the comma must be escaped by a backslash (
\
).
The
roledn
keyword has the same syntax and is used in the same way as the
groupdn
keyword.
6.4.5. Defining Access Based on Value Matching
You can set bind rules to specify that an attribute value of the entry used to bind to the directory must
match an attribute value of the targeted entry.
For example, you can specify that the bind DN must match the DN in the
manager
attribute of a user
entry in order for the ACI to apply. In this case, only the user's manager would have access to the
entry.
This example is based on DN matching. However, you can match any attribute of the entry used in
the bind with the targeted entry. For example, you could create an ACI that allowed any user whose
favoriteDrink
attribute is
beer
to read all the entries of other users that have the same value for
favoriteDrink
.
6.4.5.1. Using the userattr Keyword
The
userattr
keyword can be used to specify which attribute values must match between the entry
used to bind and the targeted entry. You can specify any of the following:
• A user DN
• A group DN
Summary of Contents for DIRECTORY SERVER 8.0
Page 18: ...xviii ...
Page 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Page 30: ...12 ...
Page 112: ...94 ...
Page 128: ...110 ...
Page 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Page 224: ...206 ...
Page 324: ...306 ...
Page 334: ...316 ...
Page 358: ...340 ...
Page 410: ...392 ...
Page 420: ...402 ...
Page 444: ...426 ...
Page 454: ...436 ...
Page 464: ...446 ...
Page 484: ...466 ...
Page 512: ...494 ...
Page 522: ...504 ...