Table of Contents
Advertisement
Bind Rules
Userdn keyword containing an LDAP URL:
userdn = "ldap:///uid=*,dc=example,dc=com";
The bind rule is evaluated to be true if the user binds to the directory using any
distinguished name of the specified pattern. For example, both of the following
bind DNs would be evaluated to be true:
uid=ssarette,dc=example,dc=com
uid=tjaz,ou=Accounting,dc=example,dc=com
whereas the following bind DN would be evaluated to be false:
cn=Babs Jensen,dc=example,dc=com
Userdn keyword containing logical OR of LDAP URLs:
userdn="ldap:///uid=bj,c=example.com ||
ldap:///uid=kc,dc=example,dc=com";
The bind rule is evaluated to be true if the client binds as either of the two supplied
distinguished names.
Userdn keyword excluding a specific LDAP URL:
userdn != "ldap:///uid=*,ou=Accounting,dc=example,dc=com";
The bind rule is evaluated to be true if the client is not binding as a UID-based
distinguished name in the accounting subtree. This bind rule only makes sense if
the targeted entry is not under the accounting branch of the directory tree.
Userdn keyword containing self keyword:
userdn = "ldap:///self";
The bind rule is evaluated to be true if the user is accessing the entry represented
by the DN with which the user bound to the directory. That is, if the user has
bound as
,
and the user is attempting an
uid=ssarette
dc=example,dc=com
operation on the
entry, then the bind rule
uid=ssarette,dc=example,dc=com
is true.
For example, if you want to grant all users in the
tree write access
example.com
to their
attribute, you would create the following ACI on the
userPassword
node.
dc=example,dc=com
aci: (targetattr = "userPassword") (version 3.0; acl "write-self";
allow (write) userdn = "ldap:///self";)
Userdn keyword containing the all keyword:
userdn = "ldap:///all";
Chapter 6
Managing Access Control
217
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the NETSCAPE DIRECTORY SERVER 6.2 - ADMINISTRATOR and is the answer not in the manual?