Defining Targets

3.1. The ACI Syntax

The aci attribute uses the following syntax:

aci: (target)(version 3.0;acl "name";permissionbind_rules;)

target specifies the entry, attributes, or set of entries and attributes for which to control access. The target can be a distinguished name, one or more attributes, or a single LDAP filter. The target is an optional part of the ACI.

version 3.0 is a required string that identifies the ACI version.

name is a name for the ACI. The name can be any string that identifies the ACI. The ACI name is required.

permission specifically outlines what rights are being allowed or denied; for example, read or search rights.

bind_rules specify the credentials and bind parameters that a user has to provide to be granted access. Bind rules can also specifically deny access to certain users or groups of users.

You can have multiple permission-bind rule pairs for each target. This allows you to set multiple access controls for a given target efficiently. For example:

target(permissionbind_rule)(permissionbind_rule)...

If you have several ACRs in one ACI statement, the syntax is in the following form:

aci: (target)(version 3.0;acl "name";permissionbind_rule;

permissionbind_rule; ... permissionbind_rule;)

The following is an example of a complete LDIF ACI:

aci: (target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*)

(version 3.0;acl "aci1";allow (write) userdn="ldap:///self";)

In this example, the ACI states that the user bjensen has rights to modify all attributes in her own directory entry.

3.2. Defining Targets

173

Page 193
Image 193
HP UX Red Hat Direry Server Software manual ACI Syntax, Defining Targets, Aci attribute uses the following syntax