Using The Userattr Keyword With Inheritance - Netscape DIRECTORY SERVER 6.1 - ADMINISTRATOR Administrator's Manual

Example With LDAPURL Bind Type
The following is an example of the
based on an LDAP filter:
userattr = "myfilter#LDAPURL"
The bind rule is evaluated to be true if the bind DN matches the filter specified in
the myfilter attribute of the targeted entry. The myfilter attribute can be replaced by
any attribute that contains an LDAP filter.
Example With Any Attribute Value
The following is an example of the
based on any attribute value:
userattr = "favoriteDrink#Beer"
The bind rule is evaluated to be true if the bind DN and the target DN include the
attribute with a value of
favoriteDrink

Using the userattr Keyword With Inheritance

When you use the
userattr
target entry, the ACI applies only to the target specified and not to the entries
below it. In some circumstances, you might want to extend the application of the
ACI several levels below the targeted entry. This is possible by using the parent
keyword, and specifying the number of levels below the target that should inherit
the ACI.
When you use the
userattr
syntax is as follows:
userattr = "parent[inheritance_level].attrName#bindType"
or, if you are using an attribute type that requires a value other than a user DN,
group DN, role DN, or an LDAP filter:
userattr = "parent[inheritance_level].attrName#attrValue"
where
:
• is a comma separated list that indicates how many levels below
inheritance_level
the target will inherit the ACI. You can include five levels
the targeted entry; zero (0) indicates the targeted entry.
• is the attribute targeted by the
attribute
• bindType can be one of
keyword associated with a bind
userattr
keyword associated with a bind
userattr
.
Beer
keyword to associate the entry used to bind with the
keyword in association with the
userattr
USERDN,GROUPDN,LDAPURL
keyword, the
parent
[0,1,2,3,4]
or keyword.
groupattr
.
Chapter 6 Managing Access Control
Bind Rules
below
221