Red Hat Directory Server 8.0 Administrator's Guide
except the superAdmin role. It also allows users to add a telephone number with a 123 prefix.
NOTE
You cannot create value-based ACIs from the Directory Server Console.
3.2.6. Targeting a Single Directory Entry
Targeting a single directory entry is not straightforward because it goes against the design
philosophy of the access control mechanism. However, it can be done in either of two ways:
• By creating a bind rule that matches user input in the bind request with an attribute value
stored in the targeted entry. For more details, see Section 4.5, “Defining Access Based on
Value Matching”.
• By using the targetattr and targetfilter keywords.
You can use the targetattr keyword to specify an attribute that is only present in the entry you
want to target, and not in any of the entries below your target. For example, if you want to target
ou=people,dc=example,dc=com, and there are not any organizational units (ou) defined below
that node, you could specify an ACI that contains targetattr=ou.
A safer method is to use the targetfilter keyword and to specify explicitly an attribute value
that appears in the entry alone. For example, during the installation of the Directory Server, the
following ACI is created:
aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0;
acl "Default anonymous access"; allow (read, search)
userdn="ldap:///anyone";)
This ACI can apply only to the o=NetscapeRoot entry.
The risk associated with these method is that your directory tree might change in the future, and
you would have to remember to modify this ACI.
3.3. Defining Permissions
Permissions specify the type of access you are allowing or denying. You can either allow or
deny permission to perform specific operations in the directory. The various operations that can
be assigned are known as rights.
There are two parts to setting permissions:
• Allowing or denying access
Chapter 6. Managing Access Control
180