Red Hat Directory Server 8.0 Administrator's Guide
or denied if the user binds using a DN that belongs to a specific role.
The roledn keyword requires one or more valid distinguished names in the following format :
roledn = "ldap:///dn [|| ldap:///dn]... [|| ldap:///dn]"
The bind rule is evaluated to be true if the bind DN belongs to the specified role.
NOTE
If a DN contains a comma, the comma must be escaped by a backslash (\).
The roledn keyword has the same syntax and is used in the same way as the groupdn
keyword.
4.5. Defining Access Based on Value Matching
You can set bind rules to specify that an attribute value of the entry used to bind to the directory
must match an attribute value of the targeted entry.
For example, you can specify that the bind DN must match the DN in the manager attribute of a
user entry in order for the ACI to apply. In this case, only the user's manager would have access
to the entry.
This example is based on DN matching. However, you can match any attribute of the entry used
in the bind with the targeted entry. For example, you could create an ACI that allowed any user
whose favoriteDrink attribute is beer to read all the entries of other users that have the same
value for favoriteDrink.
4.5.1. Using the userattr Keyword
The userattr keyword can be used to specify which attribute values must match between the
entry used to bind and the targeted entry. You can specify any of the following:
• A user DN
• A group DN
• A role DN
• An LDAP filter, in an LDAP URL
• Any attribute type
The LDIF syntax of the userattr keyword is as follows:
Defining Access Based on Value Matching
191