Netscape DIRECTORY SERVER 6.01 - ADMINISTRATOR Administrator's Manual page 209

The bind rule is evaluated to be true for any valid bind DN. To be true, a valid
distinguished name and password must have been presented by the user during
the bind operation.
For example, if you want to grant read access to the entire tree to all authenticated
users, you would create the following ACI on the
aci:(version 3.0; acl "all-read"; allow (read)
userdn="ldap:///all";)
Userdn keyword containing the anyone keyword:
userdn = "ldap:///anyone";
The bind rule is evaluated to be true for anyone; use this keyword to provide
anonymous access to your directory.
For example, if you want to allow anonymous read and search access to the entire
example.com
node:
aci: (version 3.0; acl "anonymous-read-search"; allow (read, search)
userdn = "ldap:///anyone";)
Userdn keyword containing the parent keyword:
userdn = "ldap:///parent";
The bind rule is evaluated to be true if the bind DN is the parent of the targeted
entry.
For example, if you want to grant write access to every user's child entries, you
would create the following ACI on the
aci:(version 3.0; acl "parent access"; allow (write)
userdn="ldap:///parent";)
userdn = "ldap:///dc=example,dc=com???(|(ou=engineering)(ou=sales))";
The bind rule is evaluated to be true if the user belongs to the engineering or sales
subtree.
Defining Group Access - groupdn Keyword
Members of a specific group can access a targeted resource. This is known as group
access. Group access is defined using the
a targeted entry will be granted or denied if the user binds using a DN that belongs
to a specific group.
tree, you would create the following ACI on the
dc=example,dc=com
dc=example,dc=com
keyword to specify that access to
groupdn
Chapter 6
Bind Rules
node:
dc=example,dc=com
node:
Managing Access Control 209