aci: (version 3.0; acl "anonymous-read-search"; allow (read,
search) userdn = "ldap:///anyone";)
•
Userdn keyword containing the parent keyword:
userdn = "ldap:///parent";
The bind rule is evaluated to be true if the bind DN is the parent of the targeted
entry.
For example, if you want to grant write access to every user's child entries, you
would create the following ACI on the
aci:(version 3.0; acl "parent access"; allow (write)
userdn="ldap:///parent";)
userdn = "ldap:///dc=example,dc=com???(|(ou=engineering)
(ou=sales))";
The bind rule is evaluated to be true if the user belongs to the engineering or
sales subtree.
Defining Group Access - groupdn Keyword
Members of a specific group can access a targeted resource. This is known as group
access. Group access is defined using the
a targeted entry will be granted or denied if the user binds using a DN that belongs
to a specific group.
The
keyword requires one or more valid distinguished names in the
groupdn
following format :
groupdn="ldap:///
The bind rule is evaluated to be true if the bind DN belongs to the named group.
NOTE
If a DN contains a comma, the comma must be escaped by a
backslash (\).
From the Server Console, you can define specific groups using the Access Control
Editor. For more information, see "Creating ACIs from the Console," on page 237.
Examples
This section contains examples of the
dc=example,dc=com
groupdn
dn
dn
[|| ldap:///
groupdn
node:
keyword to specify that access to
dn
]...[|| ldap:///
syntax.
Chapter 6
Managing Access Control
Bind Rules
]"
225