Macro Matching For [$Dn] - Netscape DIRECTORY SERVER 6.02 - ADMINISTRATOR Administrator's Manual

Advanced Access Control: Using Macro ACIs
aci: (target="ldap:///ou=*,($dn),dc=example,dc=com") (targetattr =
"*") (version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,($dn),dc=example,dc=com"
;)
In this case, if the string matching ($dn) in the target is
dc=hostedCompany1
expanded as follows:
aci: (target="ldap:///ou=Groups,dc=subdomain1,dc=hostedCompany1,
dc=example,dc=com") (targetattr = "*") (version 3.0; acl "Domain
access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,
dc=subdomain1,dc=hostedCompany1,dc=example,dc=com";)
Once the macro has been expanded, Directory Server evaluates the ACI following
the normal process to determine whether access is granted or not.

Macro Matching for [$dn]

The matching mechanism for [$dn] is slightly different than for ($dn). The DN of
the targeted resource is examined several times, each time dropping the left-most
RDN component, until a match is found.
For example, you have an LDAP request targeted at the
dc=subdomain1,dc=hostedCompany1,dc=example,dc=com
following ACI:
aci: (target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(targetattr = "*") (version 3.0; acl "Domain access"; allow
(read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com"
;)
The steps for expanding this ACI are as follows:
($dn) in target matches
1.
Replace [$dn] in subject with
2.
The result is
dc=subdomain1,dc=hostedCompany1,dc=example,dc=com"
a member of that group, the matching process stops, and the ACI is evaluated.
If it does not match, the process continues.
254 Netscape Directory Server Administrator's Guide • May 2002
, then the same string is used in the subject. The ACI above is
dc=subdomain1,dc=hostedCompany1
dc=subdomain1,dc=hostedCompany1
groupdn="ldap:///cn=DomainAdmins,ou=Groups,
dc=subdomain1,
cn=all,ou=groups,
subtree, and the
.
.
. If the bind DN is