Red Hat Directory Server 8.0 Administrator's Guide

The target identifies to what the ACI applies. If the target is not specified, the ACI applies to the

entry containing the aci attribute and to the entries below it. A target can be any of the

following:

• A directory entry or all of the entries in a subtree, as described in Section 3.2.1, “Targeting a

Directory Entry”.

• Attributes of an entry, as described in Section 3.2.2, “Targeting Attributes”.

• A set of entries or attributes that match a specified LDAP filter, as described in Section 3.2.4,

“Targeting Entries or Attributes Using LDAP Filters”.

• An attribute value, or a combination of values, that match a specified LDAP filter, as

described in Section 3.2.5, “Targeting Attribute Values Using LDAP Filters”.

The general syntax for a target is as follows:

(keyword = "expression")

(keyword != "expression")

• keyword indicates the type of target.

• equal (=) indicates that the target is the object specified in the expression, and not equal (!=)

indicates the target is not the object specified in the expression.

• expression identifies the target.

The quotation marks ("") around expression are required. What you use for expression is

dependent upon the keyword that you supply.

Table 6.1, “LDIF Target Keywords” lists each keyword and the associated expressions.

Keyword Valid Expressions Wildcard Allowed

target ldap:///distinguished_name Yes

targetattr attribute Yes

targetfilter LDAP_filter Yes

targetattrfilters LDAP_operation:LDAP_filter Yes

Table 6.1. LDIF Target Keywords

In all cases, you must keep in mind that when you place an ACI on an entry, if it is not a leaf

entry, the ACI also applies to all entries below it. For example, if you target the entry

ou=accounting,dc=example,dc=com, the permissions you set apply to all entries in the

Chapter 6. Managing Access Control

174