Red Hat Directory Server 8.0 Administrator's Guide
3.1. The ACI Syntax
The aci attribute uses the following syntax:
aci: (target)(version 3.0;acl "name";permissionbind_rules;)
•
target specifies the entry, attributes, or set of entries and attributes for which to control
access. The target can be a distinguished name, one or more attributes, or a single LDAP
filter. The target is an optional part of the ACI.
• version 3.0 is a required string that identifies the ACI version.
•
name is a name for the ACI. The name can be any string that identifies the ACI. The ACI
name is required.
•
permission specifically outlines what rights are being allowed or denied; for example, read or
search rights.
•
bind_rules specify the credentials and bind parameters that a user has to provide to be
granted access. Bind rules can also specifically deny access to certain users or groups of
users.
You can have multiple permission-bind rule pairs for each target. This allows you to set multiple
access controls for a given target efficiently. For example:
target(permissionbind_rule)(permissionbind_rule)...
If you have several ACRs in one ACI statement, the syntax is in the following form:
aci: (target)(version 3.0;acl "name";permissionbind_rule;
permissionbind_rule; ... permissionbind_rule;)
The following is an example of a complete LDIF ACI:
aci: (target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*)
(version 3.0;acl "aci1";allow (write) userdn="ldap:///self";)
In this example, the ACI states that the user bjensen has rights to modify all attributes in her
own directory entry.
3.2. Defining Targets
Defining Targets
173