Table of Contents
Advertisement
uid=bjensen,dc=example,dc=com
ou=Engineering,dc=example,dc=com
NOTE
You cannot use wildcards in the suffix part of a distinguished
name. That is, if your directory uses the suffixes
then you cannot use the following target to reference both suffixes:
(target="ldap:///dc=example,c=*").
Neither can you use a target such as
Targeting Attributes
In addition to targeting directory entries, you can also target one or more attributes
included in the targeted entries. This is useful when you want to deny or allow
access to partial information about an entry. For example, you could allow access
to only the common name, surname, and telephone number attributes of a given
entry. Or you could deny access to sensitive information such as passwords.
You can specify that the target is equal or is not equal to a specific attribute. The
attributes you supply do not need to be defined in the schema. This absence of
schema checking makes it possible to implement an access control policy when you
set up your directory service for the first time, even if the ACLs you create do not
apply to the current directory content.
To target attributes, you use the
following syntax:
(targetattr = "attribute")
You can target multiple attributes by using the
following syntax:
(targetattr = "attribute1 || attribute2 ... || attributen")
Where attribute is the name of the attribute you want to target.
For example, to target the common name attribute you would use:
(targetattr = "cn")
To target an entry's common name, surname, and uid attributes, you would use
the following:
(targetattr = "cn || sn || uid")
uid=bjensen,dc=*.com
keyword. The keyword uses the
targetattr
targetattr
Chapter 6
Creating ACIs Manually
and
,
c=US
c=GB
.
keyword with the
Managing Access Control
211
Advertisement
Table of Contents
Troubleshooting
