Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
191192193194195196197198199200
The order in which you specify the target and the targetattr keywords is not important.
3.2.4. Targeting Entries or Attributes Using LDAP Filters
You can use LDAP filters to target a group of entries that match certain criteria. To do this, you
must use the targetfilter keyword with an LDAP filter. The syntax of the targetfilter
keyword is as follows:
(targetfilter = "LDAP_filter")
LDAP_filter is a standard LDAP search filter. For more information on the syntax of LDAP
search filters, see Appendix B, Finding Directory Entries.
For example, suppose that all entries in the accounting department include the attribute-value
pair ou=accounting, and all entries in the engineering department include the attribute-value
pair ou=engineering subtree. The following filter targets all the entries in the accounting and
engineering branches of the directory tree:
(targetfilter = "(|(ou=accounting)(ou=engineering))")
This type of filter targets whole entries. You can associate the targetfilter and the
targetattr keywords to create ACIs that apply to a subset of attributes in the targeted entries.
The following LDIF example allows members of the Engineering Admins group to modify the
departmentNumber and manager attributes of all entries in the Engineering business category.
This example uses LDAP filtering to select all entries with businessCategory attributes set to
Engineering:
dn: dc=example,dc=com
objectClass: top
objectClass: organization
aci: (targetattr="departmentNumber || manager")
(targetfilter="(businessCategory=Engineering)")
(version 3.0; acl "eng-admins-write"; allow (write)
groupdn ="ldap:///cn=Engineering Admins, dc=example,dc=com";)
TIP
Although using LDAP filters can be useful when you are targeting entries and
attributes that are spread across the directory, the results are sometimes
unpredictable because filters do not directly name the object for which you are
managing access. The set of entries targeted by a filtered ACI is likely to change
as attributes are added or deleted. Therefore, if you use LDAP filters in ACIs, you
Chapter 6. Managing Access Control
178