Table of Contents
Advertisement
•
[$dn]
•
($attr.attrName), where attrName represents an attribute contained in the target
entry
To simplify the discussion in this section, the ACI keywords used to provide bind
credentials such as
userdn
the subject, as opposed to the target of the ACI. Macro ACIs can be used in the
target part or the subject part of an ACI.
Table 6-3 shows in what parts of the ACI you can use DN macros:
Table 6-3
Macros in ACI Keywords
Macro
($dn)
[$dn]
($attr.attrName)
The following restrictions apply:
•
If you use ($dn) in
must define a target that contains ($dn).
•
If you use [$dn] in
must define a target that contains ($dn).
In short, you when using any macro, you always need a target definition that
contains the ($dn) macro.
You can combine the ($dn) macro and the ($attr.attrName) macro.
Macro Matching for ($dn)
The ($dn) macro is replaced by the matching part of the resource targeted in an
LDAP request. For example, you have an LDAP request targeted at the
ou=groups,dc=subdomain1,dc=hostedCompany1,dc=example,dc=com
an ACI that defines the target as follows:
(target="ldap:///ou=Groups,($dn),dc=example,dc=com")
The ($dn) macro matches with "
When the subject of the ACI also uses ($dn), the substring that matches the target is
used to expand the subject. For example:
,
,
roledn
groupdn
ACI Keyword
target, targetfilter, userdn, roledn,groupdn, userattr
targetfilter, userdn, roledn, groupdn, userattr
userdn, roledn, groupdn, userattr
,
targetfilter
userdn
,
targetfilter
userdn
dc=subdomain1, dc=hostedCompany1
Advanced Access Control: Using Macro ACIs
, and
, are collectively called
userattr
,
,
,
roledn
groupdn
userattr
,
,
,
roledn
groupdn
userattr
Chapter 6
Managing Access Control
, you
, you
cn=all,
entry, and
".
253
Advertisement
Table of Contents
