Using The Userattr Keyword With Inheritance - Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

Bind Rules

Using the userattr Keyword with Inheritance

When you use the
target entry, the ACI applies only to the target specified and not to the entries
below it. In some circumstances, you might want to extend the application of the
ACI several levels below the targeted entry. This is possible by using the parent
keyword and specifying the number of levels below the target that should inherit
the ACI.
When you use the
the syntax is as follows:
userattr = "parent[inheritance_level].attrName#bindType"
or, if you are using an attribute type that requires a value other than a user DN,
group DN, role DN, or an LDAP filter:
userattr = "parent[inheritance_level].attrName#attrValue"
where
•
inheritance_level
the target will inherit the ACI. You can include five levels
the targeted entry; zero (
•
attribute
•
bindType
For example,
userattr = "parent[0
This bind rule is evaluated to be true if the bindDN matches the manager attribute
of the targeted entry. The permissions granted when the bind rule is evaluated to
be true apply to the target entry and to all entries immediately below it.
Example with userattr Inheritance
The example in Figure 6-1 indicates that user
search the
includes
and news IDs.
230 Red Hat Directory Server Administrator's Guide • May 2005
userattr
userattr
:
is a comma-separated list that indicates how many levels below
is the attribute targeted by the
can be one of
USERDN
entry as well as the first level of child entries which
cn=Profiles
and
cn=mail cn=news
keyword to associate the entry used to bind with the
keyword in association with the
) indicates the targeted entry.
0
userattr
, , or
GROUPDN LDAPURL
,
1].manager#USERDN"
bjensen
, thus allowing her to search through her own mail
keyword,
parent
, , , ,
[0 1 2 3 4]
or keyword.
groupattr
.
is allowed to read and
below