Table of Contents
Advertisement
Advanced Access Control: Using Macro ACIs
Macros are placeholders that are used to represent a DN, or a portion of a DN, in
an ACI. You can use a macro to represent a DN in the target portion of the ACI or
in the bind rule portion, or both. In practice, when Directory Server gets an
incoming LDAP operation, the ACI macros are matched against the resource
targeted by the LDAP operation. If there is a match, the macro is replaced by the
value of the DN of the targeted resource. Directory Server then evaluates the ACI
normally.
Macro ACI Example
The benefits of macro ACIs and how they work are best explained using an
example. Figure 6-4, on page 271, shows a directory tree in which using macro
ACIs is an effective way of reducing the overall number of ACIs.
This illustration uses repeating pattern of subdomains with the same tree
structure (
because the
dc=example,dc=com
The ACIs that apply in the directory tree also have a repeating pattern. For
example, the following ACI is located on the
dc=hostedCompany1,dc=example,dc=com
aci:
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search) groupdn=
"ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,dc=example
,dc=com";)
This ACI grants
in the
270
Red Hat Directory Server Administrator's Guide • May 2005
,
ou=groups
ou=people
directory tree stores the suffixes
example.com
and
dc=hostedCompany3,dc=example,dc=com
and
read
search
dc=hostedCompany1,dc=example,dc=com
). This pattern is also repeated across the tree
node:
rights to the
DomainAdmins
tree.
dc=hostedCompany2,
.
group to any entry
Advertisement
Table of Contents
Troubleshooting
