HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

241

242

243

244

245

246

247

248

249

250

Using a connector such as && is not allowed. For example, this is not an acceptable bind rule:

groupdn="ldap:///dc=example,dc=com??sub?(ou=engineering) &&

ldap:///dc=example,dc=com??sub?(manager="uid=bjensen,ou=managers,

dc=example,dc=com")"

For more information about LDAP URLs, see “LDAP URLs” (page 570).

6.4.2.6 Wildcards

You can also specify a set of users by using the wildcard character (*). For example, specifying

a user DN of uid=u*,dc=example,dc=com indicates that only users with a bind DN beginning

with the letter u are allowed or denied access based on the permissions you set.

From the Directory Server Console, you set user access from the Access Control Editor. For more

information, see “Creating ACIs from the console” (page 254).

6.4.2.7 Examples

Table 26 userdn keyword examples

DescriptionExampleScenario

The bind rule is evaluated to be true if the user

binds to the directory using any distinguished

userdn =

"ldap:///uid=*,dc=example,dc=com";

Userdn keyword

containing an

LDAP URL name of the specified pattern. For example, both

of the following bind DNs would be evaluated

to be true:

uid=ssarette,dc=example,dc=com

uid=tjaz,ou=Accounting,dc=example,dc=com

This bind DN would be evaluated to be false:

cn=Babs Jensen,dc=example,dc=com

The bind rule is evaluated to be true if the client

binds as either of the two supplied distinguished

names.

userdn="ldap:///uid=bj,dc=example,dc=com

ldap:///uid=kc,dc=example,dc=com";

Userdn keyword

containing logical

OR of LDAP URLs

The bind rule is evaluated to be true if the client

is not binding as a UID-based distinguished name

userdn !=

"ldap:///uid=*,ou=Accounting,dc=example,dc=com";

Userdn keyword

excluding a

specific LDAP URL in the accounting subtree. This bind rule only

makes sense if the targeted entry is not under the

accounting branch of the directory tree.

The bind rule is evaluated to be true if the user

is accessing the entry represented by the DN with

userdn = "ldap:///self";Userdn keyword

containing self

keyword which the user bound to the directory. That is, if

the user has bound as uid=ssarette,

dc=example,dc=com and the user is attempting

an operation on the

uid=ssarette,dc=example,dc=com entry,

then the bind rule is true.

If you want to grant all users in the

example.com tree write access to their

userPassword attribute, you would create the

following ACI on the dc=example,dc=com

node.

aci: (targetattr = "userPassword")

(version 3.0; acl "write-self";

allow (write) userdn =

"ldap:///self";)

The bind rule is evaluated to be true for any valid

bind DN. To be true, a valid distinguished name

userdn = "ldap:///all";Userdn keyword

containing the all

keyword must be presented by the user for a successful

bind operation.

6.4 Bind rules 245