Defining Targets

the targeted entries. This is useful to deny or allow access to partial information about an entry. For example, you could allow access to only the common name, surname, and telephone number attributes of a given entry while denying access to sensitive information such as passwords.

You can specify that the target is equal or is not equal to a specific attribute. The attributes you supply do not need to be defined in the schema. This absence of schema checking makes it possible to implement an access control policy when you set up your directory service for the first time, even if the ACLs you create do not apply to the current directory content.

To target attributes, use the targetattr keyword. The keyword uses the following syntax:

(targetattr = "attribute")

You can target multiple attributes by using the targetattr keyword with the following syntax:

(targetattr = "attribute1 attribute2 ...attributen")

attributeX is the name of the targeted attribute. For example, this targets the common name (cn) attribute:

(targetattr = "cn")

To target an entry's common name, surname, and UID attributes, use the following:

(targetattr = "cn sn uid")

The attributes specified in the targetattr keyword apply to the entry that the ACI is targeting and to all the entries below it. If you target the password attribute on the entry uid=bjensen,ou=Marketing,dc=example,dc=com, only the password attribute on the bjensen entry is affected by the ACI because it is a leaf entry.

If, however, you target the tree's branch pointou=Marketing,dc=example,dc=com, then all the entries beneath the branch point that can contain a password attribute are affected by the ACI.

3.2.3. Targeting Both an Entry and Attributes

By default, the entry targeted by an ACI containing a targetattr keyword is the entry on which the ACI is placed. That is, putting an ACI such as aci: (targetattr = "uid")(access_control_rules;) on the ou=Marketing,dc=example,dc=com entry means that the ACI applies to the entire Marketing subtree. However, you can also explicitly specify a target using the target keyword:

aci:

(target="ldap:///ou=Marketing,dc=example,dc=com")(targetattr="uid")(access_control_rules;)

177

Page 197
Image 197
HP UX Red Hat Direry Server Software manual Targeting Both an Entry and Attributes, 177