Macro Aci Syntax - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual
Hide thumbs
Also See for DIRECTORY SERVER 8.0 - ADMINISTRATION:
- Installation manual (128 pages) ,
- Command reference manual (278 pages)
Table of Contents
Advertisement
Chapter 6. Managing Access Control
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2,dc=example,dc=com";)
The following ACI is located on the dc=subdomain1,dc=hostedCompany2,
dc=example,dc=com node:
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,
dc=subdomain1,dc=hostedCompany2,dc=example,dc=com";)
In the four ACIs shown above, the only differentiator is the DN specified in the groupdn keyword. By
using a macro for the DN, it is possible to replace these ACIs by a single ACI at the root of the tree, on
the dc=example,dc=com node. This ACI reads as follows:
aci: (target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)
The target keyword, which was not previously used, is utilized in the new ACI.
In this example, the number of ACIs is reduced from four to one. The real benefit is a factor of how
many repeating patterns you have down and across your directory tree.
6.10.2. Macro ACI Syntax
Macro ACIs include the following types of expressions to replace a DN or part of a DN:
• ($dn)
• [$dn]
• ($attr.attrName), where attrName represents an attribute contained in the target entry
In this section, the ACI keywords used to provide bind credentials, such as userdn, roledn,
groupdn, and userattr, are collectively called the subject, as opposed to the target, of the ACI.
Macro ACIs can be used in the target part or the subject part of an ACI.
Table 6.9, "Macros in ACI Keywords"
Macro
($dn)
[$dn]
($attr.attrName)
Table 6.9. Macros in ACI Keywords
The following restrictions apply:
• If you use ($dn) in targetfilter, userdn, roledn, groupdn, userattr, you must define a
target that contains ($dn).
• If you use [$dn] in targetfilter, userdn, roledn, groupdn, userattr, you must define a
target that contains ($dn).
202
shows in what parts of the ACI you can use DN macros:
ACI Keyword
target, targetfilter, userdn, roledn, groupdn,
userattr
targetfilter, userdn, roledn, groupdn, userattr
userdn, roledn, groupdn, userattr
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION
Related Products for Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION
- Red Hat DIRECTORY SERVER 2.0 - GATEWAY
- Red Hat DIRECTORY SERVER 7.1 SP7 - S
- Red Hat DIRECTORY SERVER 8.1 - USING RED HAT CONSOLE 4-28-2008
- Red Hat DIRECTORY SERVER 8.1 - USING THE ADMIN SERVER
- Red Hat Linux Virtual Server
- Red Hat LINUX VIRTUAL SERVER - FOR ENTERPRISE LINUX 5.2 REV 05-2008
- Red Hat LINUX VIRTUAL SERVER 4.5 - ADMINISTRATION
- Red Hat LINUX VIRTUAL SERVER 4.6 - ADMINISTRATION
Need help?
Do you have a question about the DIRECTORY SERVER 8.0 - ADMINISTRATION and is the answer not in the manual?
Questions and answers