HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3332, November 2013)
Figure 13 Example directory tree for macro ACIs
The following ACI is located on the dc=hostedCompany1,dc=example,dc=com node:
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,dc=example,dc=com";)
The following ACI is located on the dc=subdomain1,dc=hostedCompany1,
dc=example,dc=com node:
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1,dc=hostedCompany1,dc=example,dc=com";)
The following ACI is located on the dc=hostedCompany2,dc=example,dc=com node:
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2,dc=example,dc=com";)
The following ACI is located on the dc=subdomain1,dc=hostedCompany2,
dc=example,dc=com node:
aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,dc=hostedCompany2,dc=example,dc=com";)
In the four ACIs shown above, the only differentiator is the DN specified in the groupdn keyword.
By using a macro for the DN, it is possible to replace these ACIs by a single ACI at the root of the
tree, on the dc=example,dc=com node. This ACI reads as follows:
aci: (target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)
The target keyword, which was not previously used, is utilized in the new ACI.
286 Managing Access Control