Red Hat Directory Server 8.0 Administrator's Guide
intensive.
If you are using static groups that are under the same suffix as the targeted entry, you can use
the following expression:
userattr = "ldap:///dc=example,dc=com?owner#GROUPDN"
In this example, the group entry is under the dc=example,dc=com suffix. The server can
process this type of syntax more quickly than the previous example.
(By default, owner is not an allowed entry in a user's entry. You would have to extend your
schema to allow this attribute in a person object.)
4.5.1.3. Example with ROLEDN Bind Type
The following associates the userattr keyword with a bind based on a role DN:
userattr = "exampleEmployeeReportsTo#ROLEDN"
The bind rule is evaluated to be true if the bind DN belongs to the role specified in the
exampleEmployeeReportsTo attribute of the targeted entry. For example, if you create a nested
role for all managers in your company, you can use this mechanism to grant managers at all
levels access to information about employees that are at a lower grade than themselves.
NOTE
This example assumes that you have added the
exampleEmployeeReportsToattribute to the schema and that all employee
entries contain this attribute. It also assumes that the value of this attribute is the
DN of a role entry. For information on adding attributes to the schema, see
Section 2.2, “Creating Attributes”.
The DN of the role can be under any suffix in the database. If you are also using filtered roles,
the evaluation of this type of ACI uses a lot of resources on the server.
If you are using a static role definition and the role entry is under the same suffix as the targeted
entry, you can use the following expression:
userattr = "ldap:///dc=example,dc=com?employeeReportsTo#ROLEDN"
In this example, the role entry is under the dc=example,dc=com suffix. The server can process
this type of syntax more quickly than the previous example.
4.5.1.4. Example with LDAPURL Bind Type
Defining Access Based on Value Matching
193