Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
251252253254255256257258259260
In this case, if the string matching ($dn) in the target is dc=subdomain1, dc=hostedCompany1,
then the same string is used in the subject. The ACI is then expanded as follows:
aci: (target="ldap:///ou=Groups,dc=subdomain1,dc=hostedCompany1,
dc=example,dc=com") (targetattr = "*") (version 3.0; acl "Domain
access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,
dc=subdomain1,dc=hostedCompany1,dc=example,dc=com";)
Once the macro has been expanded, Directory Server evaluates the ACI following the normal
process to determine whether access is granted.
10.2.2. Macro Matching for [$dn]
The matching mechanism for [$dn] is slightly different than for ($dn). The DN of the targeted
resource is examined several times, each time dropping the left-most RDN component, until a
match is found.
For example, you have an LDAP request targeted at the cn=all,ou=groups,
dc=subdomain1,dc=hostedCompany1,dc=example,dc=com subtree and the following ACI:
aci: (target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(targetattr = "*") (version 3.0; acl "Domain access"; allow
(read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)
The steps for expanding this ACI are as follows:
1. ($dn) in the target matches dc=subdomain1,dc=hostedCompany1.
2. [$dn] in the subject is replaces with dc=subdomain1,dc=hostedCompany1.
The result is groupdn="ldap:///cn=DomainAdmins,ou=Groups,
dc=subdomain1,dc=hostedCompany1,dc=example,dc=com". If the bind DN is a member of
that group, the matching process stops, and the ACI is evaluated. If it does not match, the
process continues.
3. [$dn] in the subject is replaced with dc=hostedCompany1.
The result is groupdn="ldap:///cn=DomainAdmins,ou=Groups,
dc=hostedCompany1,dc=example,dc=com". In this case, if the bind DN is not a member of
that group, the ACI is not evaluated. If it is a member, the ACI is evaluated.
The advantage of the [$dn] macro is that it provides a flexible way of granting access to
domain-level administrators to all the subdomains in the directory tree. Therefore, it is useful for
expressing a hierarchical relationship between domains.
Macro ACI Syntax
239