Macro Matching For ($Dn); Table 6-3 Macros In Aci Keywords - Netscape DIRECTORY SERVER 6.2 - ADMINISTRATOR Administrator's Manual

Advanced Access Control: Using Macro ACIs
• [$dn]
• ($attr.attrName), where attrName represents an attribute contained in the target
entry
To simplify the discussion in this section, the ACI keywords used to provide bind
credentials such as
the subject, as opposed to the target of the ACI. Macro ACIs can be used in the
target part or the subject part of an ACI.
Table 6-3 shows in what parts of the ACI you can use DN macros:
Table 6-3
Macro
($dn)
[$dn]
($attr.attrName)
The following restrictions apply:
• If you use ($dn) in
must define a target that contains ($dn).
• If you use [$dn] in
must define a target that contains ($dn).
In short, you when using any macro, you always need a target definition that
contains the ($dn) macro.
You can combine the ($dn) macro and the ($attr.attrName) macro.

Macro Matching for ($dn)

The ($dn) macro is replaced by the matching part of the resource targeted in an
LDAP request. For example, you have an LDAP request targeted at the
ou=groups,dc=subdomain1,dc=hostedCompany1,dc=example,dc=com
and an ACI that defines the target as follows:
(target="ldap:///ou=Groups,($dn),dc=example,dc=com")
The ($dn) macro matches with "
When the subject of the ACI also uses ($dn), the substring that matches the target is
used to expand the subject. For example:
260 Netscape Directory Server Administrator's Guide • December 2003
,
userdn roledn
Macros in ACI Keywords
ACI Keyword
target, targetfilter, userdn, roledn,groupdn, userattr
targetfilter, userdn, roledn, groupdn, userattr
userdn, roledn, groupdn, userattr
targetfilter
targetfilter
dc=subdomain1, dc=hostedCompany1
, , and
groupdn userattr
, , ,
userdn roledn groupdn
, , ,
userdn roledn groupdn
, are collectively called
, , you
userattr
, , you
userattr
cn=all,
entry,
".