Table of Contents
Advertisement
•
specifically outlines what rights you are either allowing or denying
permission
(for example, read or search rights).
•
specify the credentials and bind parameters that a user has to provide
bind_rules
to be granted access. Bind rules can also specifically deny access to certain
users or groups of users.
You can have multiple permission-bind rule pairs for each target. This allows you
to set multiple access controls for a given target efficiently. For example:
target(permission bind_rule)(permission bind_rule)...
If you have several ACRs in one ACI statement, the syntax is of the form:
aci: (target)(version 3.0;acl "name";permission bind_rule; permission
bind_rule; ... permission bind_rule;)
Example ACI
The following is an example of a complete LDIF ACI:
aci:
(target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*)
(version 3.0;acl "aci1";allow (write) userdn="ldap:///self";)
In this example, the ACI states that the user
attributes in her own directory entry.
The following sections describe the syntax of each portion of the ACI in more
detail.
Defining Targets
The target identifies to what the ACI applies. If the target is not specified, the ACI
applies to the entry containing the
A target can be:
•
A directory entry or all of the entries in a subtree, as described in "Targeting a
Directory Entry," on page 209.
•
Attributes of an entry, as described in "Targeting Attributes," on page 211.
•
A set of entries or attributes that match a specified LDAP filter, as described in
"Targeting Entries or Attributes Using LDAP Filters," on page 212.
has rights to modify all
bjensen
attribute and to the entries below it.
aci
Chapter 6
Creating ACIs Manually
Managing Access Control
207
Advertisement
Table of Contents
Troubleshooting
