Targeting Attributes - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

• (target="ldap:///uid=*,dc=example,dc=com") — Matches every entry in the entire
example.com tree that has the uid attribute in the entry's RDN.
• (target="ldap:///uid=*Anderson,dc=example,dc=com") — Matches every entry directly
under the example.com node with a uid ending in Anderson.
• (target="ldap:///uid=C*A,dc=example,dc=com") — Matches every entry directly under
the example.com node with a uid beginning with C and ending with A.
• (target="ldap:///uid=*,dc=example,dc=com") — Matches every entry in the entire
example.com tree that has the uid attribute in the entry's RDN.
• (target="ldap:///uid=*,ou=*,dc=example,dc=com") — Matches every
entry in the example.com tree whose distinguished name contains the uid and
ou attributes. Thus, uid=fchen,ou=Engineering,dc=example,dc=com or
uid=claire,ou=Engineering,ou=people,dc=example,dc=com would match, but
uid=bjensen,dc=example,dc=com ou=Engineering,dc=example,dc=com would not.
Depending on the position of the wildcard, it can apply to the full DN, not only to attribute
values. Therefore, the wildcard can be used as a substitute for portions of the DN. For example,
uid=andy*,dc=example,dc=com targets all the directory entries in the entire example.com
tree with a matching uid attribute and not just the entries that are immediately below the
dc=example,dc=com node. In other words, this target matches with longer expressions such as
uid=andy,ou=eng,dc=example,dc=com or uid=andy,ou=marketing,dc=example,dc=com.
NOTE
You cannot use wildcards in the suffix part of a distinguished name. That is, if your
directory uses the suffixes c=US and c=GB, then you cannot use (target="ldap:///
dc=example,c=*") as a target to reference both suffixes. Neither can you use a target
such as uid=bjensen,dc=*.com.

6.3.2.2. Targeting Attributes

In addition to targeting directory entries, you can also target one or more attributes included in the
targeted entries. This is useful to deny or allow access to partial information about an entry. For
example, you could allow access to only the common name, surname, and telephone number
attributes of a given entry while denying access to sensitive information such as passwords.
You can specify that the target is equal or is not equal to a specific attribute. The attributes you supply
do not need to be defined in the schema. This absence of schema checking makes it possible to
implement an access control policy when you set up your directory service for the first time, even if the
ACLs you create do not apply to the current directory content.
To target attributes, use the targetattr keyword. The keyword uses the following syntax:
(targetattr = "attribute")
You can target multiple attributes by using the targetattr keyword with the following syntax:
(targetattr = "attribute1 || attribute2 ...|| attributen")
Defining Targets
149