Red Hat Directory Server 8.0 Administrator's Guide
The following associates the userattr keyword with a bind based on an LDAP filter:
userattr = "myfilter#LDAPURL
The bind rule is evaluated to be true if the bind DN matches the filter specified in the myfilter
attribute of the targeted entry. The myfilter attribute can be replaced by any attribute that
contains an LDAP filter.
4.5.1.5. Example with Any Attribute Value
The following associates the userattr keyword with a bind based on any attribute value:
userattr = "favoriteDrink#Beer"
The bind rule is evaluated to be true if the bind DN and the target DN include the
favoriteDrink attribute with a value of Beer.
4.5.1.6. Using the userattr Keyword with Inheritance
When you use the userattr keyword to associate the entry used to bind with the target entry,
the ACI applies only to the target specified and not to the entries below it. In some
circumstances, you might want to extend the application of the ACI several levels below the
targeted entry. This is possible by using the parent keyword and specifying the number of levels
below the target that should inherit the ACI.
When you use the userattr keyword in association with the parent keyword, the syntax is as
follows:
userattr = "parent[inheritance_level].attrName#bindType
Using an attribute type that requires a value other than a user DN, group DN, role DN, or an
LDAP filter, the syntax is as follows:
userattr = "parent[inheritance_level].attrName#attrValue
• inheritance_level is a comma-separated list that indicates how many levels below the target
inherits the ACI. You can include five levels (0, 1, 2, 3, 4) below the targeted entry; zero (0)
indicates the targeted entry.
• attribute is the attribute targeted by the userattr or groupattr keyword.
• bindType can be one of USERDN, GROUPDN, or LDAPURL.
For example:
Chapter 6. Managing Access Control
194