Red Hat Directory Server 8.0 Administrator's Guide
Macro ACI Keyword
($dn) target, targetfilter, userdn, roledn, groupdn,
userattr
[$dn] targetfilter, userdn, roledn, groupdn, userattr
($attr.attrName) userdn, roledn, groupdn, userattr
Table 6.9. Macros in ACI Keywords
The following restrictions apply:
• If you use ($dn) in targetfilter, userdn, roledn, groupdn, userattr, you must define a
target that contains ($dn).
• If you use [$dn] in targetfilter, userdn, roledn, groupdn, userattr, you must define a
target that contains ($dn).
NOTE
When using any macro, you always need a target definition that contains the
($dn) macro.
You can combine the ($dn) macro and the ($attr.attrName) macro.
10.2.1. Macro Matching for ($dn)
The ($dn) macro is replaced by the matching part of the resource targeted in an LDAP request.
For example, you have an LDAP request targeted at the cn=all,
ou=groups,dc=subdomain1,dc=hostedCompany1,dc=example,dc=com entry and an ACI that
defines the target as follows:
(target="ldap:///ou=Groups,($dn),dc=example,dc=com")
The ($dn) macro matches with dc=subdomain1, dc=hostedCompany1.
When the subject of the ACI also uses ($dn), the substring that matches the target is used to
expand the subject. For example:
aci: (target="ldap:///ou=*,($dn),dc=example,dc=com")
(targetattr = "*") (version 3.0; acl "Domain access"; allow
(read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,($dn),dc=example,dc=com";)
Chapter 6. Managing Access Control
238