Table of Contents
Advertisement
Bind Rules
For example, if you want to grant write access to every user's child entries, you
would create the following ACI on the
aci:(version 3.0; acl "parent access"; allow (write)
userdn="ldap:///parent";)
userdn = "ldap:///dc=example,dc=com???(|(ou=engineering)
(ou=sales))";
The bind rule is evaluated to be true if the user belongs to the engineering or sales
subtree.
Defining Group Access - groupdn Keyword
Members of a specific group can access a targeted resource. This is known as group
access. Group access is defined using the
a targeted entry will be granted or denied if the user binds using a DN that belongs
to a specific group.
The
groupdn
following format :
groupdn="ldap:///dn [|| ldap:///dn]...[|| ldap:///dn]"
The bind rule is evaluated to be true if the bind DN belongs to the named group.
NOTE
From the Server Console, you can define specific groups using the Access Control
Editor. For more information, see "Creating ACIs From the Console," on page 224.
Examples
This section contains examples of the
Groupdn keyword containing an LDAP URL:
groupdn = "ldap:///cn=Administrators,dc=example,dc=com";
The bind rule is evaluated to be true if the bind DN belongs to the Administrators
group. If you wanted to grant the Administrators group permission to write to the
entire directory tree, you would create the following ACI on the
dc=example,dc=com
212
Netscape Directory Server Administrator's Guide • May 2002
keyword requires one or more valid distinguished names in the
If a DN contains a comma, the comma must be escaped by a
backslash (\).
node:
dc=example,dc=com
keyword to specify that access to
groupdn
syntax.
groupdn
node:
Advertisement
Table of Contents
