Targeting Attributes - Netscape DIRECTORY SERVER 6.01 - ADMINISTRATOR Administrator's Manual

Creating ACIs Manually
Some other valid examples follow:
• (target="ldap:///uid=*,dc=example,dc=com")
Matches every entry in the entire
the entry's RDN.
• (target="ldap:///uid=*,ou=*,dc=example,dc=com")
Matches every entry in the
contains the
uid=fchen,ou=Engineering,dc=example,dc=com
or
uid=claire,ou=Engineering,ou=people,dc=example,dc=com
would match, but the following would not:
uid=bjensen,dc=example,dc=com
ou=Engineering,dc=example,dc=com
NOTE

Targeting Attributes

In addition to targeting directory entries, you can also target one or more attributes
included in the targeted entries. This is useful when you want to deny or allow
access to partial information about an entry. For example, you could allow access
to only the common name, surname, and telephone number attributes of a given
entry. Or you could deny access to sensitive information such as passwords.
You can specify that the target is equal or is not equal to a specific attribute. The
attributes you supply do not need to be defined in the schema. This absence of
schema checking makes it possible to implement an access control policy when you
set up your directory service for the first time, even if the ACLs you create do not
apply to the current directory content.
To target attributes, you use the
uses the following syntax:
(targetattr = "attribute")
196 Netscape Directory Server Administrator's Guide • January 2002
example.com
and attributes. Thus:
uid ou
You cannot use wildcards in the suffix part of a distinguished
name. That is, if your directory uses the suffixes
then you cannot use the following target to reference both suffixes:
(target="ldap:///dc=example,c=*").
Neither can you use a target such as
targetattr
tree that has the
example.com
tree whose distinguished name
uid=bjensen,dc=*.com
keyword. The
attribute in
uid
and ,
c=US c=GB
.
keyword
targetattr