Using The Userattr Keyword With Inheritance - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

Chapter 6. Managing Access Control
The bind rule is evaluated to be true if the bind DN and the target DN include the favoriteDrink
attribute with a value of Beer.

6.4.5.1.6. Using the userattr Keyword with Inheritance

When you use the userattr keyword to associate the entry used to bind with the target entry, the
ACI applies only to the target specified and not to the entries below it. In some circumstances, you
might want to extend the application of the ACI several levels below the targeted entry. This is possible
by using the parent keyword and specifying the number of levels below the target that should inherit
the ACI.
When you use the userattr keyword in association with the parent keyword, the syntax is as
follows:
userattr = "parent[inheritance_level].attrName#bindType
Using an attribute type that requires a value other than a user DN, group DN, role DN, or an LDAP
filter, the syntax is as follows:
userattr = "parent[inheritance_level].attrName#attrValue
• inheritance_level is a comma-separated list that indicates how many levels below the target inherits
the ACI. You can include five levels (0, 1, 2, 3, 4) below the targeted entry; zero (0) indicates the
targeted entry.
• attribute is the attribute targeted by the userattr or groupattr keyword.
• bindType can be one of USERDN, GROUPDN, or LDAPURL.
For example:
userattr = "parent[0,1].manager#USERDN"
This bind rule is evaluated to be true if the bind DN matches the manager attribute of the targeted
entry. The permissions granted when the bind rule is evaluated to be true apply to the target entry and
to all entries immediately below it.
Figure 6.1, "Using Inheritance With the userattr Keyword"
The example in
is allowed to read and search the cn=Profiles entry as well as the first level of child entries which
includes cn=mail and cn=news, thus allowing her to search through her own mail and news IDs.
164
indicates that user bjensen