Defining Role Access - Roledn Keyword; Defining Access Based On Value Matching - Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

Bind Rules
• Groupdn keyword containing an LDAP URL:
The bind rule is evaluated to be true if the bind DN belongs to the
Administrators group. If you wanted to grant the Administrators group
permission to write to the entire directory tree, you would create the
following ACI on the
• Groupdn keyword containing logical OR of LDAP URLs:
The bind rule is evaluated to be true if the bind DN belongs to either the
Administrators or the Mail Administrators group.

Defining Role Access - roledn Keyword

Members of a specific role can access a targeted resource. This is known as role
access. Role access is defined using the
targeted entry will be granted or denied if the user binds using a DN that belongs
to a specific role.
The
roledn
following format :
roledn = "ldap:///dn [|| ldap:///dn]... [|| ldap:///dn]"
The bind rule is evaluated to be true if the bind DN belongs to the specified role.
NOTE
The
roledn
groupdn

Defining Access Based on Value Matching

You can set bind rules to specify that an attribute value of the entry used to bind
to the directory must match an attribute value of the targeted entry.
226 Red Hat Directory Server Administrator's Guide • May 2005
groupdn = "ldap:///cn=Administrators,dc=example,dc=com";
dc=example,dc=com
aci: (version 3.0; acl "Administrators-write"; allow (write)
groupdn="ldap:///cn=Administrators,dc=example,dc=com";)
groupdn = "ldap:///cn=Administrators,dc=example,dc=com" ||
"ldap:///cn=Mail Administrators,dc=example,dc=com";
keyword requires one or more valid distinguished names in the
If a DN contains a comma, the comma must be escaped by a
backslash (\).
keyword has the same syntax and is used in the same way as the
keyword.
node:
keyword to specify that access to a
roledn