Bind Rules
Bind Rules
Depending on the ACIs defined for the directory, for certain operations, you need
to bind to the directory. Binding means logging in or authenticating yourself to the
directory by providing a bind DN and password, or, if using SSL, a certificate. The
credentials provided in the bind operation, and the circumstances of the bind
determine whether access to the directory is allowed or denied.
Every permission set in an ACI has a corresponding bind rule that details the
required credentials and bind parameters.
Bind rules can be simple. For example, a bind rule can simply state that the person
accessing the directory must belong to a specific group. Bind rules can also be more
complex. For example, a bind rule can state that a person must belong to a specific
group and must log in from a machine with a specific IP address, between 8 am
and 5 pm.
Bind rules define who can access the directory, when, and from where. More
specifically, bind rules can specify:
•
Users, groups, and roles that are granted access
•
Location from which an entity must bind
•
Time or day on which binding must occur
•
Type of authentication that must be in use during binding
Additionally, bind rules can be complex constructions that combine these criteria
by using Boolean operators. See "Using Boolean Bind Rules," on page 223 for more
information.
Bind Rule Syntax
Whether access is allowed or denied depends on whether an ACI's bind rule is
evaluated to be true. Bind rules use one of the two following patterns:
keyword = "expression";
keyword != "expression";
where equal (=) indicates that
bind rule to be true, and not equal (!=) indicates that
match in order for the bind rule to be true.
206
Netscape Directory Server Administrator's Guide • May 2002
and
keyword
expression
must match in order for the
and
keyword
expression
must not