Bind Rules
The
roledn
following format :
roledn = "ldap:///dn [|| ldap:///dn]... [|| ldap:///dn]"
The bind rule is evaluated to be true if the bind DN belongs to the specified role.
NOTE
The
roledn
groupdn
Defining Access Based on Value Matching
You can set bind rules to specify that an attribute value of the entry used to bind to
the directory must match an attribute value of the targeted entry.
For example, you can specify that the bind DN must match the DN in the
attribute of a user entry in order for the ACI to apply. In this case, only the user's
manager would have access to the entry.
This example is based on DN matching. However, you can match any attribute of
the entry used in the bind with the targeted entry. For example, you could create an
ACI that allowed any user whose
entries of other users that have the same value for
Using the userattr Keyword
The
userattr
between the entry used to bind and the targeted entry. You can specify:
•
A user DN
•
A group DN
•
A role DN
•
An LDAP filter, in an LDAP URL
•
Any attribute type
The LDIF syntax of the
userattr = "attrName#bindType"
220
Netscape Directory Server Administrator's Guide • December 2003
keyword requires one or more valid distinguished names in the
If a DN contains a comma, the comma must be escaped by a
backslash (\).
keyword has the same syntax and is used in the same way as the
keyword.
keyword can be used to specify which attribute values must match
userattr
attribute is "beer" to read all the
favoriteDrink
favoriteDrink
keyword is as follows:
manager
.
Need help?
Do you have a question about the NETSCAPE DIRECTORY SERVER 6.2 - ADMINISTRATOR and is the answer not in the manual?