Table of Contents
Advertisement
Advanced Access Control: Using Macro ACIs
Macros are placeholders that are used to represent a DN, or a portion of a DN, in
an ACI. You can use a macro to represent a DN in the target portion of the ACI, or
in the bind rule portion, or both. In practice, when Directory Server gets an
incoming LDAP operation, the ACI macros are matched against the resource
targeted by the LDAP operation. If there is a match, the macro is replaced by the
value of the DN of the targeted resource. Directory Server then evaluates the ACI
normally.
Macro ACI Example
The benefits of macro ACIs and how they work are best explained using an
example. Figure 6-4 on page 251 shows a directory tree in which using macro ACIs
is an effective way of reducing the overall number of ACIs.
In this illustration, note the repeating pattern of subdomains with the same tree
structure (ou=groups, ou=people). This pattern is also repeated across the tree,
because the
dc=hostedCompany2, dc=example,dc=com
dc=hostedCompany3,dc=example,dc=com
The ACIs that apply in the directory tree also have a repeating pattern. For
example, the following ACI is located on the
dc=hostedCompany1,dc=example,dc=com
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search) groupdn=
"ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,dc=example,dc=
com";)
This ACI grants read and search rights to the DomainAdmins group to any entry in
the
dc=hostedCompany1,dc=example,dc=com
250
Netscape Directory Server Administrator's Guide • May 2002
directory tree stores the following suffixes
example.com
, and
.
node:
tree.
Advertisement
Table of Contents
