Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual page 224

Bind Rules
• Userdn keyword excluding a specific LDAP URL:
The bind rule is evaluated to be true if the client is not binding as a UID-based
distinguished name in the accounting subtree. This bind rule only makes
sense if the targeted entry is not under the accounting branch of the directory
tree.
• Userdn keyword containing self keyword:
The bind rule is evaluated to be true if the user is accessing the entry
represented by the DN with which the user bound to the directory. That is, if
the user has bound as
attempting an operation on the
then the bind rule is true.
If you want to grant all users in the
userPassword
dc=example,dc=com
• Userdn keyword containing the all keyword:
The bind rule is evaluated to be true for any valid bind DN. To be true, a valid
distinguished name and password must have been presented by the user
during the bind operation.
For example, if you want to grant read access to the entire tree to all
authenticated users, you would create the following ACI on the
dc=example,dc=com
• Userdn keyword containing the anyone keyword:
The bind rule is evaluated to be true for anyone; use this keyword to provide
anonymous access to your directory.
For example, if you want to allow anonymous read and search access to the
entire
dc=example,dc=com
224 Red Hat Directory Server Administrator's Guide • May 2005
userdn != "ldap:///uid=*,ou=Accounting,dc=example,dc=com";
userdn = "ldap:///self";
uid=ssarette
attribute, you would create the following ACI on the
node.
aci: (targetattr = "userPassword") (version 3.0; acl
"write-self"; allow (write) userdn = "ldap:///self";)
userdn = "ldap:///all";
node:
aci:(version 3.0; acl "all-read"; allow (read)
userdn="ldap:///all";)
userdn = "ldap:///anyone";
tree, you would create the following ACI on the
example.com
node:
,
dc=example,dc=com
uid=ssarette,dc=example,dc=com
tree write access to their
example.com
and the user is
entry,