Macro Aci Syntax - Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

Advanced Access Control: Using Macro ACIs
The following ACI is located on the
dc=example,dc=com
aci:
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1,
dc=hostedCompany1,dc=example,dc=com";)
The following ACI is located on the
node:
aci:
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2,
dc=example,dc=com";)
The following ACI is located on the
dc=example,dc=com
aci:
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,
dc=hostedCompany2,dc=example,dc=com";)
In the four ACIs shown above, the only differentiator is the DN specified in the
groupdn
ACIs by a single ACI at the root of the tree, on the
ACI reads as follows:
aci: (target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=
com";)
The target keyword, which was not previously used, needs to be introduced.
In the example above, the number of ACIs is reduced from four to one. However,
the real benefit is a factor of how many repeating patterns you have down and
across your directory tree.

Macro ACI Syntax

Macro ACIs include the following types of expressions to replace a DN or part of
a DN:
272 Red Hat Directory Server Administrator's Guide • May 2005
node:
node:
keyword. By using a macro for the DN, it is possible to replace these
dc=subdomain1,dc=hostedCompany1,
dc=hostedCompany2,dc=example,dc=com
dc=subdomain1,dc=hostedCompany2,
dc=example,dc=com
node. This