Netscape DIRECTORY SERVER 6.02 - ADMINISTRATOR Administrator's Manual page 211

The bind rule is evaluated to be true if the user is accessing the entry represented
by the DN with which the user bound to the directory. That is, if the user has
bound as
uid=ssarette
operation on the
uid=ssarette,dc=example,dc=com
true.
For example, if you want to grant all users in the
their attribute, you would create the following ACI on the
userPassword
dc=example,dc=com
aci: (targetattr = "userPassword") (version 3.0; acl "write-self";
allow (write) userdn = "ldap:///self";)
Userdn keyword containing the all keyword:
userdn = "ldap:///all";
The bind rule is evaluated to be true for any valid bind DN. To be true, a valid
distinguished name and password must have been presented by the user during
the bind operation.
For example, if you want to grant read access to the entire tree to all authenticated
users, you would create the following ACI on the
aci:(version 3.0; acl "all-read"; allow (read)
userdn="ldap:///all";)
Userdn keyword containing the anyone keyword:
userdn = "ldap:///anyone";
The bind rule is evaluated to be true for anyone; use this keyword to provide
anonymous access to your directory.
For example, if you want to allow anonymous read and search access to the entire
tree, you would create the following ACI on the
example.com
node:
aci: (version 3.0; acl "anonymous-read-search"; allow (read, search)
userdn = "ldap:///anyone";)
Userdn keyword containing the parent keyword:
userdn = "ldap:///parent";
The bind rule is evaluated to be true if the bind DN is the parent of the targeted
entry.
,
dc=example,dc=com
node.
and the user is attempting an
entry, then the bind rule is
tree write access to
example.com
dc=example,dc=com
dc=example,dc=com
Chapter 6 Managing Access Control
Bind Rules
node:
211