Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
191192193194195196197198199200
accounting branch of the example.com tree.
As a counter example, if you place an ACI on the ou=accounting,dc=example,dc=com entry,
you cannot target the uid=sarette,ou=people,dc=example,dc=com entry because it is not
located under the accounting tree.
Be wary of using != when specifying an attribute to deny. ACLs are treated as a logical OR,
which means that if you created two ACLs as shown below, the result allows all values of the
target attribute.
acl1: ( target=...)( targetattr!=a )(version 3.0; acl "name";allow (...)..
acl2: ( target=...)( targetattr!=b )(version 3.0; acl "name";allow (...)..
The first ACL (acl1) allows b and the second ACL (acl2) allows a. The result of these two
ACLs is the same as the one resulting from using an ACL of the following form:
acl3: ( targetattr="*" ) allow (...) ...
In the second example, nothing is denied, which could give rise to security problems.
When you want to deny access to a particular attribute, use deny in the permissions clause
rather than using allow with ( targetattr != value ). For example, usages such as these
are recommended:
acl1: ( target=...)( targetattr=a )(version 3.0; acl "name";deny (...)..
acl2: ( target=...)( targetattr=b )(version 3.0; acl "name";deny (...)..
3.2.1. Targeting a Directory Entry
To target a directory entry (and the entries below it), you must use the target keyword. The
target keyword can accept a value of the following format:
target="ldap:///distinguished_name
This identifies the distinguished name of the entry to which the access control rule applies. For
example:
(target = "ldap:///uid=bjensen,dc=example,dc=com")
NOTE
If the DN of the entry to which the access control rule applies contains a comma,
escape the comma with a single backslash (\), such as
Defining Targets
175