Chapter 6. Managing Access Control
162
• A role DN
• An LDAP filter, in an LDAP URL
• Any attribute type
The LDIF syntax of the
userattr
keyword is as follows:
userattr = "
attrName
#
bindType
Using an attribute type that requires a value other than a user DN, group DN, role DN, or an LDAP
filter has the following format:
userattr = "
attrName
#
attrValue
•
attrName
is the name of the attribute used for value matching.
•
bindType
is either
USERDN
,
GROUPDN
, or
LDAPURL
.
•
attrValue
is any string representing an attribute value.
6.4.5.1.1. Example with USERDN Bind Type
The following associates the
userattr
keyword with a bind based on the user DN:
userattr = "manager#USERDN"
The bind rule is evaluated to be true if the bind DN matches the value of the
manager
attribute in
the targeted entry. You can use this to allow a user's manager to modify employees' attributes. This
mechanism only works if the
manager
attribute in the targeted entry is expressed as a full DN.
The following example grants a manager full access to his or her employees' entries:
aci: (target="ldap:///dc=example,dc=com")(targetattr=*)
(version 3.0; acl "manager-write"; allow (all) userattr = "manager#USERDN";)
6.4.5.1.2. Example with GROUPDN Bind Type
The following associates the
userattr
keyword with a bind based on a group DN:
userattr = "owner#GROUPDN"
The bind rule is evaluated to be true if the bind DN is a member of the group specified in the
owner
attribute of the targeted entry. For example, you can use this mechanism to allow a group to manage
employees' status information. You can use an attribute other than
owner
as long as the attribute you
use contains the DN of a group entry.
The group you point to can be a dynamic group, and the DN of the group can be under any suffix in
the database. However, the evaluation of this type of ACI by the server is very resource intensive.
If you are using static groups that are under the same suffix as the targeted entry, you can use the
following expression:
userattr = "ldap:///dc=example,dc=com?owner#GROUPDN"
Содержание DIRECTORY SERVER 8.0
Страница 18: ...xviii ...
Страница 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Страница 30: ...12 ...
Страница 112: ...94 ...
Страница 128: ...110 ...
Страница 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Страница 224: ...206 ...
Страница 324: ...306 ...
Страница 334: ...316 ...
Страница 358: ...340 ...
Страница 410: ...392 ...
Страница 420: ...402 ...
Страница 444: ...426 ...
Страница 454: ...436 ...
Страница 464: ...446 ...
Страница 484: ...466 ...
Страница 512: ...494 ...
Страница 522: ...504 ...