Table of Contents
Advertisement
Advanced Access Control: Using Macro ACIs
The following ACI is located on the
dc=example,dc=com
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1,
dc=hostedCompany1,dc=example,dc=com";)
The following ACI is located on the
node:
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2,
dc=example,dc=com";)
The following ACI is located on the
dc=example,dc=com
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,
dc=hostedCompany2,dc=example,dc=com";)
In the four ACIs shown above, the only differentiator is the DN specified in the
groupdn
by a single ACI at the root of the tree, on the
reads as follows:
aci: (target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com"
;)
Note that the target keyword which was not previously used needs to be
introduced.
In the example above, the number of ACIs is reduced from four to one. However,
the real benefit is a factor of how many repeating patterns you have down and
across your directory tree.
Macro ACI Syntax
Macro ACIs include the following types of expressions to replace a DN or part of a
DN:
•
($dn)
252
Netscape Directory Server Administrator's Guide • May 2002
node:
node:
keyword. By using a macro for the DN, it is possible to replace these ACIs
dc=subdomain1,dc=hostedCompany1,
dc=hostedCompany2,dc=example,dc=com
dc=subdomain1,dc=hostedCompany2,
dc=example,dc=com
node. This ACI
Advertisement
Table of Contents
