HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
NOTE:
If the DN of the entry to which the access control rule applies contains a comma, escape the comma
with a single backslash (\), such as (target="ldap:///uid=lfuentes,dc=example.com
Bolivia\,S.A.").
Wildcards can be used when targeting a distinguished name using the target keyword. The
wildcard indicates that any character or string or substring is a match for the wildcard. Pattern
matching is based on any other strings that have been specified with the wildcard.
The following are legal examples of wildcard usage:
• (target="ldap:///uid=*,dc=example,dc=com") — Matches every entry in the entire
example.com tree that has the uid attribute in the entry's RDN.
• (target="ldap:///uid=*Anderson,dc=example,dc=com") — Matches every entry
directly under the example.com node with a uid ending in Anderson.
• (target="ldap:///uid=C*A,dc=example,dc=com") — Matches every entry directly
under the example.com node with a uid beginning with C and ending with A.
• (target="ldap:///uid=*,dc=example,dc=com") — Matches every entry in the entire
example.com tree that has the uid attribute in the entry's RDN.
• (target="ldap:///uid=*,ou=*,dc=example,dc=com") — Matches every entry in
the example.com tree whose distinguished name contains the uid and ou attributes. Thus,
uid=fchen,ou=Engineering,dc=example,dc=com or
uid=claire,ou=Engineering,ou=people,dc=example,dc=com would match, but
uid=bjensen,dc=example,dc=com ou=Engineering,dc=example,dc=comwould
not.
Depending on the position of the wildcard, it can apply to the full DN, not only to attribute values.
Therefore, the wildcard can be used as a substitute for portions of the DN. For example,
uid=andy*,dc=example,dc=com targets all the directory entries in the entire example.com
tree with a matching uid attribute and not just the entries that are immediately below the
dc=example,dc=com node. In other words, this target matches with longer expressions such as
uid=andy,ou=eng,dc=example,dc=com or
uid=andy,ou=marketing,dc=example,dc=com.
NOTE:
You cannot use wildcards in the suffix part of a distinguished name. That is, if your directory uses
the suffixes c=US and c=GB, then you cannot use (target="ldap:///dc=example,c=*")
as a target to reference both suffixes. Neither can you use a target such as
uid=bjensen,dc=*.com.
6.3.2.2 Targeting attributes
In addition to targeting directory entries, you can also target one or more attributes included in
the targeted entries. This is useful to deny or allow access to partial information about an entry.
For example, you could allow access to only the common name, surname, and telephone number
attributes of a given entry while denying access to sensitive information such as passwords.
You can specify that the target is equal or is not equal to a specific attribute. The attributes you
supply do not need to be defined in the schema. This absence of schema checking makes it possible
to implement an access control policy when you set up your directory service for the first time, even
if the ACLs you create do not apply to the current directory content.
To target attributes, use the targetattr keyword. The keyword uses the following syntax:
(targetattr = "attribute")
You can target multiple attributes by using the targetattr keyword with the following syntax:
6.3 Creating ACIs manually 237