Netscape DIRECTORY SERVER 6.01 - ADMINISTRATOR Administrator's Manual page 212

Bind Rules
userattr = "attrName#attrValue"
where:
•
attrName
•
bindType
•
attrValue
The following sections provide examples of the
various possible bind types.
Example with USERDN Bind Type
The following is an example of the
based on the user DN:
userattr = "manager#USERDN"
The bind rule is evaluated to be true if the bind DN matches the value of the
manager
to modify employees' attributes. This mechanism only works if the
attribute in the targeted entry is expressed as a full DN.
The following example grants a manager full access to his or her employees'
entries:
aci: (target="ldap:///dc=example,dc=com")(targetattr=*) (version
3.0;
acl "manager-write"; allow (all) userattr = "manager#USERDN";)
Example with GROUPDN Bind Type
The following is an example of the
based on a group DN:
userattr = "owner#GROUPDN"
The bind rule is evaluated to be true if the bind DN is a member of the group
specified in the
mechanism to allow a group to manage employees' status information. You can
use an attribute other than
of a group entry.
The group you point to can be a dynamic group, and the DN of the group can be
under any suffix in the database. However, the evaluation of this type of ACI by
the server is very resource intensive.
If you are using static groups that are under the same suffix as the targeted entry,
you can use the following expression:
212 Netscape Directory Server Administrator's Guide • January 2002
is the name of the attribute used for value matching
is one of
USERDN,GROUPDN,LDAPURL
is any string representing an attribute value
attribute in the targeted entry. You can use this to allow a user's manager
attribute of the targeted entry. For example, you can use this
owner
owner
userattr
keyword associated with a bind
userattr
keyword associated with a bind
userattr
, as long as the attribute you use contains the DN
keyword with the
manager