Permissions Syntax; Bind Rules - Netscape DIRECTORY SERVER 6.1 - ADMINISTRATOR Administrator's Manual

Bind Rules

The permissions you need to set up to allow users to search the directory are more
readily understood with an example. Consider the following
operation:
% ldapsearch -h host -s base -b
objectclass=* mail
The following ACI is used to determine whether user
access:
aci: (targetattr = "mail")(version 3.0; acl "self access to mail";
allow (read, search) userdn = "ldap:///self";)
The search result list is empty, because this ACI does not grant access to the
objectclass attribute. If you want the search operation described above to be
successful, you must modify the ACI to read as follows:
aci: (targetattr = "mail || objectclass")(version 3.0; acl "self
access to mail"; allow (read, search) userdn = "ldap:///self";)

Permissions Syntax

In an ACI statement, the syntax for permissions is:
allow|deny (rights)
where
parentheses. Valid keywords are
selfwrite
In the following example, read, search, and compare access is allowed, provided
the bind rule is evaluated to be true:
aci:
"example";
allow (read, search, compare) bind_rule;)
Bind Rules
Depending on the ACIs defined for the directory, for certain operations, you need
to bind to the directory. Binding means logging in or authenticating yourself to the
directory by providing a bind DN and password, or, if using SSL, a certificate. The
credentials provided in the bind operation, and the circumstances of the bind
determine whether access to the directory is allowed or denied.
Every permission set in an ACI has a corresponding bind rule that details the
required credentials and bind parameters.
210 Netscape Directory Server Administrator's Guide • August 2002
is a list of 1 to 8 comma-separated keywords enclosed within
rights
, , or .
proxy all
(target="ldap:///dc=example,dc=com") (version 3.0;acl
"
uid=bkolics,dc=example,dc=com
bkolics
, , ,
read write add delete
ldapsearch
"
can be granted
, , ,
search compare