HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3332, November 2013)
Additionally, bind rules can be complex constructions that combine these criteria by using Boolean
operators. See “Using Boolean bind rules” (page 254) for more information.
Bind rule syntax
Whether access is allowed or denied depends on whether an ACI's bind rule is evaluated to be
true. Bind rules use one of the two following patterns:
keyword = "expression"; or
keyword != "expression";
Equal (=) indicates that keyword and expression must match in order for the bind rule to be
true, and not equal (!=) indicates that keyword and expression must not match in order for
the bind rule to be true.
NOTE:
The timeofday keyword also supports the inequality expressions (<, <=, >,>=). This is the only
keyword that supports these expressions.
The quotation marks ("") around expression and the delimiting semicolon (;) are required. The
expressions you can use depend on the associated keyword.
Table 25 (page 243) lists each keyword and the associated expressions and indicates whether
wildcard characters are allowed in the expression.
Table 25 LDIF bind rule keywords
Wildcard allowedValid expressionsKeyword
Yes, in DN onlyuserdn ldap:///distinguished_name
ldap:///all
ldap:///anyone
ldap:///self
ldap:///parent
ldap:///suffix??scope?(filter)
Nogroupdn ldap:///DN|| DN
ldap:///suffix??scope?(filter)
Noldap:///DN|| DNroledn
Noattribute#bindType orattribute#valueuserattr
YesIP_addressip
YesDNS_host_namedns
Nosun mon tue wed thu fri satdayofweek
No0 - 2359timeofday
Noauthmethod none
simple
ssl
sasl sasl_mechanism
Defining user access - userdn keyword
User access is defined using the userdn keyword. The userdn keyword requires one or more
valid distinguished names in the following format:
userdn = "ldap:///dn [|| ldap:///dn]...[||ldap:///dn]"
dn can be a DN or one of the expressions anyone, all, self, or parent:
userdn = "ldap:///anyone" Defines anonymous access
userdn = "ldap:///all" Defines general access
Bind rules 243