(groupdn = "ldap:///cn=administrators,dc=example,dc=com" or
groupdn = "ldap:///cn=mail administrators,dc=example,dc=com" and
dns = "*.example.com";)
The trailing semicolon (;) is a required delimiter that must appear after the final
bind rule.
Boolean expressions are evaluated in the following order:
•
Innermost to outermost parenthetical expressions first.
•
All expressions from left to right.
•
NOT
The Boolean
Consider the following Boolean bind rules:
(bind_rule_A) OR (bind_rule_B)
(bind_rule_B) OR (bind_rule_A)
Because Boolean expressions are evaluated from left to right, in the first case, bind
rule A is evaluated before bind rule B, and, in the second case, bind rule B is
evaluated before bind rule A.
However, the Boolean
Thus, in the following example
(bind_rule_A) AND NOT (bind_rule_B)
bind rule B is evaluated before bind rule A despite the left-to-right rule.
Creating ACIs from the Console
You can use the Directory Server Console to view, create, edit, and delete access
control instructions for your directory. This section provides general instructions
for:
•
Displaying the Access Control Editor
•
Viewing Current ACIs
•
Creating a New ACI
•
Editing an ACI
•
Deleting an ACI
before
or
operators.
AND
OR
and Boolean
OR
AND
is evaluated before the Boolean
NOT
operators have no order of precedence.
Chapter 6
Creating ACIs from the Console
and Boolean
.
OR
AND
Managing Access Control
237