Chapter 6. Managing Access Control
202
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2,dc=example,dc=com";)
The following ACI is located on the
dc=subdomain1,dc=hostedCompany2,
dc=example,dc=com
node:
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,
dc=subdomain1,dc=hostedCompany2,dc=example,dc=com";)
In the four ACIs shown above, the only differentiator is the DN specified in the
groupdn
keyword. By
using a macro for the DN, it is possible to replace these ACIs by a single ACI at the root of the tree, on
the
dc=example,dc=com
node. This ACI reads as follows:
aci: (target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)
The
target
keyword, which was not previously used, is utilized in the new ACI.
In this example, the number of ACIs is reduced from four to one. The real benefit is a factor of how
many repeating patterns you have down and across your directory tree.
6.10.2. Macro ACI Syntax
Macro ACIs include the following types of expressions to replace a DN or part of a DN:
• ($dn)
• [$dn]
• ($attr.
attrName
), where
attrName
represents an attribute contained in the target entry
In this section, the ACI keywords used to provide bind credentials, such as
userdn
,
roledn
,
groupdn
, and
userattr
, are collectively called the
subject
, as opposed to the
target
, of the ACI.
Macro ACIs can be used in the target part or the subject part of an ACI.
Table 6.9, “Macros in ACI Keywords”
shows in what parts of the ACI you can use DN macros:
Macro
ACI Keyword
($dn)
target, targetfilter, userdn, roledn, groupdn,
userattr
[$dn]
targetfilter, userdn, roledn, groupdn, userattr
($attr.
attrName
)
userdn, roledn, groupdn, userattr
Table 6.9. Macros in ACI Keywords
The following restrictions apply:
• If you use
($dn)
in
targetfilter
,
userdn
,
roledn
,
groupdn
,
userattr
, you
must
define a
target that contains
($dn)
.
• If you use
[$dn]
in
targetfilter
,
userdn
,
roledn
,
groupdn
,
userattr
, you
must
define a
target that contains
($dn)
.
Summary of Contents for DIRECTORY SERVER 8.0
Page 18: ...xviii ...
Page 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Page 30: ...12 ...
Page 112: ...94 ...
Page 128: ...110 ...
Page 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Page 224: ...206 ...
Page 324: ...306 ...
Page 334: ...316 ...
Page 358: ...340 ...
Page 410: ...392 ...
Page 420: ...402 ...
Page 444: ...426 ...
Page 454: ...436 ...
Page 464: ...446 ...
Page 484: ...466 ...
Page 512: ...494 ...
Page 522: ...504 ...