Netscape DIRECTORY SERVER 6.02 - ADMINISTRATOR Administrator's Manual page 215

The following example grants a manager full access to his or her employees'
entries:
aci: (target="ldap:///dc=example,dc=com")(targetattr=*) (version
3.0;
acl "manager-write"; allow (all) userattr = "manager#USERDN";)
Example with GROUPDN Bind Type
The following is an example of the
based on a group DN:
userattr = "owner#GROUPDN"
The bind rule is evaluated to be true if the bind DN is a member of the group
specified in the
owner
mechanism to allow a group to manage employees' status information. You can
use an attribute other than
of a group entry.
The group you point to can be a dynamic group, and the DN of the group can be
under any suffix in the database. However, the evaluation of this type of ACI by
the server is very resource intensive.
If you are using static groups that are under the same suffix as the targeted entry,
you can use the following expression:
userattr = "ldap:///dc=example,dc=com?owner#GROUPDN"
In this example, the group entry is under the
server can process this type of syntax more quickly than the previous example.
(By default, is not an allowed entry in a user's entry. You would have to
owner
extend your schema to allow this attribute in a
Example With ROLEDN Bind Type
The following is an example of the
based on a role DN:
userattr = "exampleEmployeeReportsTo#ROLEDN"
The bind rule is evaluated to be true if the bind DN belongs to the role specified in
the
exampleEmployeeReportsTo
you create a nested role for all managers in your company, you can use this
mechanism to grant managers at all levels access to information about employees
that are at a lower grade than themselves.
userattr
attribute of the targeted entry. For example, you can use this
, as long as the attribute you use contains the DN
owner
userattr
attribute of the targeted entry. For example, if
keyword associated with a bind
dc=example,dc=com
object.)
person
keyword associated with a bind
Chapter 6 Managing Access Control
Bind Rules
suffix. The
215