Using The Userattr Keyword With Inheritance - Netscape DIRECTORY SERVER 6.02 - ADMINISTRATOR Administrator's Manual

Using the userattr Keyword With Inheritance

When you use the
userattr
target entry, the ACI applies only to the target specified and not to the entries
below it. In some circumstances, you might want to extend the application of the
ACI several levels below the targeted entry. This is possible by using the parent
keyword, and specifying the number of levels below the target that should inherit
the ACI.
When you use the
userattr
syntax is as follows:
userattr = "parent[inheritance_level].attrName#bindType"
or, if you are using an attribute type that requires a value other than a user DN,
group DN, role DN, or an LDAP filter:
userattr = "parent[inheritance_level].attrName#attrValue"
where
:
• is a comma separated list that indicates how many levels below
inheritance_level
the target will inherit the ACI. You can include five levels
the targeted entry; zero (0) indicates the targeted entry.
• is the attribute targeted by the
attribute
• bindType can be one of
For example,
userattr = "parent[0,1].manager#USERDN"
This bind rule is evaluated to be true if the bindDN matches the manager attribute
of the targeted entry. The permissions granted when the bind rule is evaluated to
be true apply to the target entry and to all entries immediately below it.
Example With userattr Inheritance
The example in Figure 6-1 indicates that user
search the
cn=Profiles
includes and
cn=mail
and news IDs.
keyword to associate the entry used to bind with the
keyword in association with the
userattr
USERDN,GROUPDN,LDAPURL
entry as well as the first level of child entries which
, thus allowing her to search through her own mail
cn=news
parent
[0,1,2,3,4]
or
groupattr
.
is allowed to read and
bjensen
Chapter 6 Managing Access Control
Bind Rules
keyword, the
below
keyword.
217