Advanced Access Control: Using Macro Acis; Macro Aci Example - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

Chapter 6. Managing Access Control
• The accounting administrator must have access permissions to the
ou=Accounting,dc=example,dc=com subtree, so the following ACI grants all rights to the
accounting administrator entry:
aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*")
(version 3.0; acl "allowAll-AcctAdmin"; allow (all)
userdn="ldap://uid=AcctAdministrator,ou=Administrators,dc=example,dc=com")
• There must be an ACI granting proxy rights to the client application in the directory:
aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*")
(version 3.0; acl "allow proxy-accounting software"; allow (proxy)
userdn="ldap://uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com")
With this ACI in place, the MoneyWizAcctSoftware client application can bind to the directory and
send an LDAP command such as ldapsearch or ldapmodify that requires the access rights of the
proxy DN.
If the client performs an ldapsearch command, the command must include the following controls:
ldapmodify -D "uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com" -w secretpwd
-y "uid=AcctAdministrator,ou=Administrators,dc=example,dc=com"
The client or application (MoneyWizAcctSoftware) binds as itself but is granted the privileges of the
proxy entry (AcctAdministrator). The client does not need the password of the proxy entry.
NOTE
There are some restrictions on binding with proxy authorization. You cannot use the
Directory Manager's DN (root DN) as a proxy DN. Additionally, if Directory Server receives
more than one proxied authentication control, an error is returned to the client application,
and the bind attempt is unsuccessful.

6.10. Advanced Access Control: Using Macro ACIs

In organizations that use repeating directory tree structures, it is possible to optimize the number of
ACIs used in the directory by using macros. Reducing the number of ACIs in your directory tree makes
it easier to manage your access control policy and improves the efficiency of ACI memory usage.
Macros are placeholders that are used to represent a DN, or a portion of a DN, in an ACI. You can
use a macro to represent a DN in the target portion of the ACI or in the bind rule portion, or both.
In practice, when Directory Server gets an incoming LDAP operation, the ACI macros are matched
against the resource targeted by the LDAP operation. If there is a match, the macro is replaced by the
value of the DN of the targeted resource. Directory Server then evaluates the ACI normally.

6.10.1. Macro ACI Example

Figure 6.3, "Example Directory Tree for Macro ACIs"
ACIs to effectively reduce the overall number of ACIs. This illustration uses repeating pattern of
subdomains with the same tree structure (ou=groups, ou=people). This pattern is also repeated
200
shows a directory tree which uses macro