Chapter 6. Managing Access Control

userattr = "attrName#bindType

Using an attribute type that requires a value other than a user DN, group DN, role DN, or an LDAP filter has the following format:

userattr = "attrName#attrValue

attrName is the name of the attribute used for value matching.

bindType is either USERDN, GROUPDN, or LDAPURL.

attrValue is any string representing an attribute value.

4.5.1.1. Example with USERDN Bind Type

The following associates the userattr keyword with a bind based on the user DN:

userattr = "manager#USERDN"

The bind rule is evaluated to be true if the bind DN matches the value of the manager attribute in the targeted entry. You can use this to allow a user's manager to modify employees' attributes. This mechanism only works if the manager attribute in the targeted entry is expressed as a full DN.

The following example grants a manager full access to his or her employees' entries:

aci: (target="ldap:///dc=example,dc=com")(targetattr=*)

(version 3.0; acl "manager-write"; allow (all) userattr =

"manager#USERDN";)

4.5.1.2. Example with GROUPDN Bind Type

The following associates the userattr keyword with a bind based on a group DN:

userattr = "owner#GROUPDN"

The bind rule is evaluated to be true if the bind DN is a member of the group specified in the owner attribute of the targeted entry. For example, you can use this mechanism to allow a group to manage employees' status information. You can use an attribute other thanowner as long as the attribute you use contains the DN of a group entry.

The group you point to can be a dynamic group, and the DN of the group can be under any suffix in the database. However, the evaluation of this type of ACI by the server is very resource

192

Page 212
Image 212
HP UX Red Hat Direry Server Software manual Example with Userdn Bind Type, Example with Groupdn Bind Type