Chapter 6. Managing Access Control

Macro

ACI Keyword

 

 

($dn)

target, targetfilter, userdn, roledn, groupdn,

 

userattr

 

 

[$dn]

targetfilter, userdn, roledn, groupdn, userattr

 

 

($attr.attrName)

userdn, roledn, groupdn, userattr

 

 

Table 6.9. Macros in ACI Keywords

The following restrictions apply:

If you use ($dn) in targetfilter, userdn, roledn, groupdn, userattr, you must define a target that contains ($dn).

If you use [$dn] in targetfilter, userdn, roledn, groupdn, userattr, you must define a target that contains ($dn).

NOTE

When using any macro, you always need a target definition that contains the ($dn) macro.

You can combine the ($dn) macro and the ($attr.attrName) macro.

10.2.1. Macro Matching for ($dn)

The ($dn) macro is replaced by the matching part of the resource targeted in an LDAP request. For example, you have an LDAP request targeted at the cn=all,

ou=groups,dc=subdomain1,dc=hostedCompany1,dc=example,dc=com entry and an ACI that

defines the target as follows:

(target="ldap:///ou=Groups,($dn),dc=example,dc=com")

The ($dn) macro matches with dc=subdomain1, dc=hostedCompany1.

When the subject of the ACI also uses ($dn), the substring that matches the target is used to expand the subject. For example:

aci: (target="ldap:///ou=*,($dn),dc=example,dc=com")

(targetattr = "*") (version 3.0; acl "Domain access"; allow (read,search)

groupdn="ldap:///cn=DomainAdmins,ou=Groups,($dn),dc=example,dc=com";)

238

Page 258
Image 258
HP UX Red Hat Direry Server Software manual Macro Matching for $dn, Macros in ACI Keywords, Macro ACI Keyword