Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
191192193194195196197198199200
the targeted entries. This is useful to deny or allow access to partial information about an entry.
For example, you could allow access to only the common name, surname, and telephone
number attributes of a given entry while denying access to sensitive information such as
passwords.
You can specify that the target is equal or is not equal to a specific attribute. The attributes you
supply do not need to be defined in the schema. This absence of schema checking makes it
possible to implement an access control policy when you set up your directory service for the
first time, even if the ACLs you create do not apply to the current directory content.
To target attributes, use the targetattr keyword. The keyword uses the following syntax:
(targetattr = "attribute")
You can target multiple attributes by using the targetattr keyword with the following syntax:
(targetattr = "attribute1 || attribute2 ...|| attributen")
attributeX is the name of the targeted attribute. For example, this targets the common name (cn)
attribute:
(targetattr = "cn")
To target an entry's common name, surname, and UID attributes, use the following:
(targetattr = "cn || sn || uid")
The attributes specified in the targetattr keyword apply to the entry that the ACI is targeting
and to all the entries below it. If you target the password attribute on the entry
uid=bjensen,ou=Marketing,dc=example,dc=com, only the password attribute on the bjensen
entry is affected by the ACI because it is a leaf entry.
If, however, you target the tree's branch point ou=Marketing,dc=example,dc=com, then all the
entries beneath the branch point that can contain a password attribute are affected by the ACI.
3.2.3. Targeting Both an Entry and Attributes
By default, the entry targeted by an ACI containing a targetattr keyword is the entry on which
the ACI is placed. That is, putting an ACI such as aci: (targetattr =
"uid")(access_control_rules;) on the ou=Marketing,dc=example,dc=com entry means that
the ACI applies to the entire Marketing subtree. However, you can also explicitly specify a
target using the target keyword:
aci:
(target="ldap:///ou=Marketing,dc=example,dc=com")(targetattr="uid")(access_control_rules;)
Defining Targets
177