Macro Aci Syntax - Netscape DIRECTORY SERVER 6.1 - ADMINISTRATOR Administrator's Manual

The following ACI is located on the
dc=example,dc=com
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1,
dc=hostedCompany1,dc=example,dc=com";)
The following ACI is located on the
node:
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2,
dc=example,dc=com";)
The following ACI is located on the
dc=example,dc=com
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,
dc=hostedCompany2,dc=example,dc=com";)
In the four ACIs shown above, the only differentiator is the DN specified in the
keyword. By using a macro for the DN, it is possible to replace these ACIs
groupdn
by a single ACI at the root of the tree, on the
reads as follows:
aci: (target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com"
;)
Note that the target keyword which was not previously used needs to be
introduced.
In the example above, the number of ACIs is reduced from four to one. However,
the real benefit is a factor of how many repeating patterns you have down and
across your directory tree.

Macro ACI Syntax

Macro ACIs include the following types of expressions to replace a DN or part of a
DN:
• ($dn)
dc=subdomain1,dc=hostedCompany1,
node:
dc=hostedCompany2,dc=example,dc=com
dc=subdomain1,dc=hostedCompany2,
node:
Advanced Access Control: Using Macro ACIs
dc=example,dc=com
Chapter 6 Managing Access Control
node. This ACI
257