Defining Targets
149
•
(target="ldap:///uid=*,dc=example,dc=com")
— Matches every entry in the entire
example.com
tree that has the
uid
attribute in the entry's RDN.
•
(target="ldap:///uid=*Anderson,dc=example,dc=com")
— Matches every entry directly
under the
example.com
node with a
uid
ending in Anderson.
•
(target="ldap:///uid=C*A,dc=example,dc=com")
— Matches every entry directly under
the
example.com
node with a
uid
beginning with C and ending with A.
•
(target="ldap:///uid=*,dc=example,dc=com")
— Matches every entry in the entire
example.com
tree that has the
uid
attribute in the entry's RDN.
•
(target="ldap:///uid=*,ou=*,dc=example,dc=com")
— Matches every
entry in the
example.com
tree whose distinguished name contains the
uid
and
ou
attributes. Thus,
uid=fchen,ou=Engineering,dc=example,dc=com
or
uid=claire,ou=Engineering,ou=people,dc=example,dc=com
would match, but
uid=bjensen,dc=example,dc=com ou=Engineering,dc=example,dc=com
would not.
Depending on the position of the wildcard, it can apply to the full DN, not only to attribute
values. Therefore, the wildcard can be used as a substitute for portions of the DN. For example,
uid=andy*,dc=example,dc=com
targets all the directory entries in the entire
example.com
tree with a matching uid attribute and not just the entries that are immediately below the
dc=example,dc=com
node. In other words, this target matches with longer expressions such as
uid=andy,ou=eng,dc=example,dc=com
or
uid=andy,ou=marketing,dc=example,dc=com
.
NOTE
You cannot use wildcards in the suffix part of a distinguished name. That is, if your
directory uses the suffixes
c=US
and
c=GB
, then you cannot use
(target="ldap:///
dc=example,c=*")
as a target to reference both suffixes. Neither can you use a target
such as
uid=bjensen,dc=*.com
.
6.3.2.2. Targeting Attributes
In addition to targeting directory entries, you can also target one or more attributes included in the
targeted entries. This is useful to deny or allow access to partial information about an entry. For
example, you could allow access to only the common name, surname, and telephone number
attributes of a given entry while denying access to sensitive information such as passwords.
You can specify that the target is equal or is not equal to a specific attribute. The attributes you supply
do not need to be defined in the schema. This absence of schema checking makes it possible to
implement an access control policy when you set up your directory service for the first time, even if the
ACLs you create do not apply to the current directory content.
To target attributes, use the
targetattr
keyword. The keyword uses the following syntax:
(targetattr = "
attribute
")
You can target multiple attributes by using the
targetattr
keyword with the following syntax:
(targetattr = "
attribute1
||
attribute2 ...
||
attributen
")
Содержание DIRECTORY SERVER 8.0
Страница 18: ...xviii ...
Страница 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Страница 30: ...12 ...
Страница 112: ...94 ...
Страница 128: ...110 ...
Страница 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Страница 224: ...206 ...
Страница 324: ...306 ...
Страница 334: ...316 ...
Страница 358: ...340 ...
Страница 410: ...392 ...
Страница 420: ...402 ...
Страница 444: ...426 ...
Страница 454: ...436 ...
Страница 464: ...446 ...
Страница 484: ...466 ...
Страница 512: ...494 ...
Страница 522: ...504 ...