Red Hat Directory Server 8.0 Administrator's Guide

userattr = "attrName#bindType

Using an attribute type that requires a value other than a user DN, group DN, role DN, or an

LDAP filter has the following format:

userattr = "attrName#attrValue

• attrName is the name of the attribute used for value matching.

• bindType is either USERDN, GROUPDN, or LDAPURL.

• attrValue is any string representing an attribute value.

4.5.1.1. Example with USERDN Bind Type

The following associates the userattr keyword with a bind based on the user DN:

userattr = "manager#USERDN"

The bind rule is evaluated to be true if the bind DN matches the value of the manager attribute in

the targeted entry. You can use this to allow a user's manager to modify employees' attributes.

This mechanism only works if the manager attribute in the targeted entry is expressed as a full

DN.

The following example grants a manager full access to his or her employees' entries:

aci: (target="ldap:///dc=example,dc=com")(targetattr=*)

(version 3.0; acl "manager-write"; allow (all) userattr =

"manager#USERDN";)

4.5.1.2. Example with GROUPDN Bind Type

The following associates the userattr keyword with a bind based on a group DN:

userattr = "owner#GROUPDN"

The bind rule is evaluated to be true if the bind DN is a member of the group specified in the

owner attribute of the targeted entry. For example, you can use this mechanism to allow a group

to manage employees' status information. You can use an attribute other than owner as long as

the attribute you use contains the DN of a group entry.

The group you point to can be a dynamic group, and the DN of the group can be under any

suffix in the database. However, the evaluation of this type of ACI by the server is very resource

Chapter 6. Managing Access Control

192