Table of Contents
Advertisement
You can have multiple permission-bind rule pairs for each target. This allows you
to efficiently set multiple access controls for a given target. For example:
target(permission bind_rule)(permission bind_rule)...
If you have several ACRs in one ACI statement, the syntax is of the form:
aci: (target)(version 3.0;acl "name";permission bind_rule; permission bind_rule;
... permission bind_rule;)
Example ACI
The following is an example of a complete LDIF ACI:
aci: (target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*)
(version 3.0;acl "aci1";allow (write) userdn="ldap:///self";)
In this example, the ACI states that the user bjensen has rights to modify all
attributes in her own directory entry.
The following sections describe the syntax of each portion of the ACI in more
detail.
Defining Targets
The target identifies what the ACI applies to. If the target is not specified, the ACI
applies to the entry containing the
A target can be:
•
A directory entry, or all of the entries in a subtree, as described in "Targeting a
Directory Entry," on page 196.
•
Attributes of an entry, as described in "Targeting Attributes," on page 198.
•
A set of entries or attributes that match a specified LDAP filter, as described in
"Targeting Entries or Attributes Using LDAP Filters," on page 199.
•
An attribute value, or a combination of values, that match a specified LDAP
filter, as described in "Targeting Attribute Values Using LDAP Filters," on
page 200.
The general syntax for a target is:
(keyword = "expression")
(keyword != "expression")
attribute and to the entries below it.
aci
Chapter 6
Creating ACIs Manually
Managing Access Control
195
Advertisement
Table of Contents
