Table of Contents
Advertisement
Replace
in subject with
3.
[$dn]
The result is
groupdn="ldap:///cn=DomainAdmins,ou=Groups,
dc=hostedCompany1,dc=example,dc=com"
a member of that group, the ACI is not evaluated. If it is a member, the ACI is
evaluated.
The advantage of the
access to domain-level administrators to all the subdomains in the directory tree.
Therefore, it is useful for expressing a hierarchical relationship between domains.
For example, consider the following ACI:
aci: (target="ldap:///ou=*, ($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=c
om";)
It grants access to the members of
dc=hostedCompany1,dc=example,dc=com
, so an administrator belonging to that group could access; for
dc=hostedCompany1
example, the subtree
However, at the same time, members of
would be denied access to the
dc=subdomain1.1
and
ou=people,dc=hostedCompany1
Macro Matching for ($attr.attrName)
The
attrName
($attr.
example, you could define the following
roledn = "ldap:///cn=DomainAdmins,($attr.ou)"
Now, assume the server receives an LDAP operation targeted at the following
entry:
dn: cn=Jane Doe, ou=People, dc=HostedCompany1, dc=example,dc=com
cn: Jane Doe
sn: Doe
ou: Engineering, dc=HostedCompany1, dc=example,dc=com
...
In order to evaluate the
stored in the targeted entry and uses the value of this attribute to expand the
macro. Therefore, in the example, the
dc=hostedCompany1
macro is that it provides a flexible way of granting
[$dn]
cn=DomainAdmins,ou=Groups,
ou=people, dc=subdomain1.1, dc=subdomain1
cn=DomainAdmins,ou=Groups,
nodes.
macro is always used in the subject part of a DN. For
)
roledn
part of the ACI, the server looks at the
roledn
roledn
Advanced Access Control: Using Macro ACIs
.
. In this case, if the bind DN is not
to all of the subdomains under
ou=people,dc=hostedCompany1
:
is expanded as follows:
Chapter 6
Managing Access Control
.
attribute
ou
275
Advertisement
Table of Contents
Troubleshooting
Subscribe to Our Youtube Channel
Related Manuals for Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR
Related Products for Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR
- Red Hat DIRECTORY SERVER 8.1 - 11-01-2010
- Red Hat DIRECTORY SERVER 8.1 - USING RED HAT CONSOLE 4-28-2008
- Red Hat DIRECTORY SERVER 8.1 - USING THE ADMIN SERVER
- Red Hat Linux Virtual Server
- Red Hat LINUX VIRTUAL SERVER - FOR ENTERPRISE LINUX 5.2 REV 05-2008
- Red Hat LINUX VIRTUAL SERVER 4.5 - ADMINISTRATION
- Red Hat LINUX VIRTUAL SERVER 4.6 - ADMINISTRATION
- Red Hat LINUX VIRTUAL SERVER 4.7 - ADMINISTRATION
Need help?
Do you have a question about the DIRECTORY SERVER 7.1 - ADMINISTRATOR and is the answer not in the manual?
Questions and answers