Red Hat Directory Server 8.0 Administrator's Guide
4.3. Defining Group Access - groupdn Keyword
Members of a specific group can access a targeted resource. This is known as group access.
Group access is defined using the groupdn keyword to specify that access to a targeted entry is
granted or denied if the user binds using a DN that belongs to a specific group.
The groupdn keyword requires one or more valid distinguished names in the following format:
groupdn="ldap:///dn [|| ldap:///dn]...[|| ldap:///dn]"
The bind rule is evaluated to be true if the bind DN belongs to the named group.
NOTE
If a DN contains a comma, the comma must be escaped by a backslash (\).
From the Directory Server Console, you can define specific groups using the Access Control
Editor. For more information, see Section 5, “Creating ACIs from the Console”.
ScenarioExample Description
Groupdn
keyword
containing
an
LDAP
URL
groupdn =
"ldap:///cn=Administrators,dc=example,dc=com";
The bind rule is evaluated to be true if the bind DN belongs to
the Administrators group. If you wanted to grant the
Administrators group permission to write to the entire directory
tree, you would create the following ACI on the
dc=example,dc=com node:
aci: (version 3.0; acl "Administrators-write"; allow (write)
groupdn="ldap:///cn=Administrators,dc=example,dc=com";)
Groupdn
keyword
containing
logical
OR
of
LDAP
URLs
groupdn =
"ldap:///cn=Administrators,dc=example,dc=com"
|| "ldap:///cn=Mail
Administrators,dc=example,dc=com";
The bind rule is evaluated to be true if the bind DN belongs to
either the Administrators or the Mail Administrators
group.
Table 6.5. groupdn Examples
4.4. Defining Role Access - roledn Keyword
Members of a specific role can access a targeted resource. This is known as role access. Role
access is defined using the roledn keyword to specify that access to a targeted entry is granted
Chapter 6. Managing Access Control
190