Using The Userattr Keyword - Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

For example, you can specify that the bind DN must match the DN in the
attribute of a user entry in order for the ACI to apply. In this case, only the user's
manager would have access to the entry.
This example is based on DN matching. However, you can match any attribute of
the entry used in the bind with the targeted entry. For example, you could create an
ACI that allowed any user whose
entries of other users that have the same value for

Using the userattr Keyword

The keyword can be used to specify which attribute values must match
userattr
between the entry used to bind and the targeted entry. You can specify:
• A user DN
• A group DN
• A role DN
• An LDAP filter, in an LDAP URL
• Any attribute type
The LDIF syntax of the
userattr = "attrName#bindType"
or, if you are using an attribute type that requires a value other than a user DN,
group DN, role DN, or an LDAP filter:
userattr = "attrName#attrValue"
where:
• is the name of the attribute used for value matching.
attrName
• is one of
bindType
• is any string representing an attribute value.
attrValue
The following sections provide examples of the
various possible bind types.
Example with USERDN Bind Type
The following is an example of the
based on the user DN:
userattr = "manager#USERDN"
favoriteDrink
keyword is as follows:
userattr
, , or
USERDN GROUPDN
userattr
attribute is
beer
favoriteDrink
.
LDAPURL
keyword with the
userattr
keyword associated with a bind
Chapter 6 Managing Access Control
Bind Rules
manager
to read all the
.
227