HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

241

242

243

244

245

246

247

248

249

250

If you are using static groups that are under the same suffix as the targeted entry, you can use

the following expression:

userattr = "ldap:///dc=example,dc=com?owner#GROUPDN"

In this example, the group entry is under the dc=example,dc=com suffix. The server can process

this type of syntax more quickly than the previous example.

(By default, owner is not an allowed entry in a user's entry. You would have to extend your

schema to allow this attribute in a person object.)

6.4.5.1.3 Example with ROLEDN bind type

The following associates the userattr keyword with a bind based on a role DN:

userattr = "exampleEmployeeReportsTo#ROLEDN"

The bind rule is evaluated to be true if the bind DN belongs to the role specified in the

exampleEmployeeReportsTo attribute of the targeted entry. For example, if you create a

nested role for all managers in your company, you can use this mechanism to grant managers

at all levels access to information about employees that are at a lower grade than themselves.

NOTE:

This example assumes that you have added the exampleEmployeeReportsToattribute to

the schema and that all employee entries contain this attribute. It also assumes that the value of

this attribute is the DN of a role entry. For information on adding attributes to the schema, see

“Creating attributes”.

The DN of the role can be under any suffix in the database. If you are also using filtered roles,

the evaluation of this type of ACI uses a lot of resources on the server.

If you are using a static role definition and the role entry is under the same suffix as the targeted

entry, you can use the following expression:

userattr = "ldap:///dc=example,dc=com?employeeReportsTo#ROLEDN"

In this example, the role entry is under the dc=example,dc=com suffix. The server can process

this type of syntax more quickly than the previous example.

6.4.5.1.4 Example with LDAPURL bind type

The following associates the userattr keyword with a bind based on an LDAP filter:

userattr = "myfilter#LDAPURL

The bind rule is evaluated to be true if the bind DN matches the filter specified in the myfilter

attribute of the targeted entry. The myfilter attribute can be replaced by any attribute that

contains an LDAP filter.

6.4.5.1.5 Example with any attribute value

The following associates the userattr keyword with a bind based on any attribute value:

userattr = "favoriteDrink#Beer"

The bind rule is evaluated to be true if the bind DN and the target DN include the

favoriteDrink attribute with a value of Beer.

6.4.5.1.6 Using the userattr keyword with inheritance

When you use the userattr keyword to associate the entry used to bind with the target entry,

the ACI applies only to the target specified and not to the entries below it. In some circumstances,

you might want to extend the application of the ACI several levels below the targeted entry. This

is possible by using the parent keyword and specifying the number of levels below the target

that should inherit the ACI.

250 Managing access control