HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

241

242

243

244

245

246

247

248

249

250

groupdn="ldap:///dc=example,dc=com??sub?(ou=engineering) &&

ldap:///dc=example,dc=com??sub?(manager="uid=bjensen,ou=managers,

dc=example,dc=com")"

For more information about LDAP URLs, see Appendix C “LDAP URLs”.

6.4.2.6 Wildcards

You can also specify a set of users by using the wildcard character (*). For example, specifying

a user DN of uid=u*,dc=example,dc=com indicates that only users with a bind DN beginning

with the letter u are allowed or denied access based on the permissions you set.

From the Directory Server Console, you set user access from the Access Control Editor. For

more information, see “Creating ACIs from the console”.

6.4.2.7 Examples

Table 6-4 userdn keyword examples

DescriptionExampleScenario

The bind rule is evaluated to be true if the user

binds to the directory using any distinguished

name of the specified pattern. For example, both

of the following bind DNs would be evaluated

to be true:

uid=ssarette,dc=example,dc=com

uid=tjaz,ou=Accounting,dc=example,dc=com

This bind DN would be evaluated to be false:

cn=Babs Jensen,dc=example,dc=com

userdn =

"ldap:///uid=*,dc=example,dc=com";

Userdn keyword

containing an

LDAP URL

The bind rule is evaluated to be true if the client

binds as either of the two supplied distinguished

names.

userdn="ldap:///uid=bj,dc=example,dc=com

ldap:///uid=kc,dc=example,dc=com";

Userdn keyword

containing logical

OR of LDAP

URLs

The bind rule is evaluated to be true if the client

is not binding as a UID-based distinguished

name in the accounting subtree. This bind rule

only makes sense if the targeted entry is not

under the accounting branch of the directory

tree.

userdn !=

"ldap:///uid=*,ou=Accounting,dc=example,dc=com";

Userdn keyword

excluding a

specific LDAP

URL

The bind rule is evaluated to be true if the user

is accessing the entry represented by the DN

with which the user bound to the directory. That

is, if the user has bound as uid=ssarette,

dc=example,dc=com and the user is

attempting an operation on the

uid=ssarette,dc=example,dc=com entry,

then the bind rule is true.

If you want to grant all users in the

example.com tree write access to their

userPassword attribute, you would create the

following ACI on the dc=example,dc=com

node.

aci: (targetattr = "userPassword")

(version 3.0; acl "write-self";

allow (write) userdn =

"ldap:///self";)

userdn = "ldap:///self";

Userdn keyword

containing self

keyword

246 Managing access control