HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

241

242

243

244

245

246

247

248

249

250

This example is based on DN matching. However, you can match any attribute of the entry used

in the bind with the targeted entry. For example, you could create an ACI that allowed any user

whose favoriteDrink attribute is beer to read all the entries of other users that have the same

value for favoriteDrink.

6.4.5.1 Using the userattr keyword

The userattr keyword can be used to specify which attribute values must match between the

entry used to bind and the targeted entry. You can specify any of the following:

• A user DN

• A group DN

• A role DN

• An LDAP filter, in an LDAP URL

• Any attribute type

The LDIF syntax of the userattr keyword is as follows:

userattr = "attrName#bindType

Using an attribute type that requires a value other than a user DN, group DN, role DN, or an LDAP

filter has the following format:

userattr = "attrName#attrValue

• attrName is the name of the attribute used for value matching.

• bindType is either USERDN, GROUPDN, or LDAPURL.

• attrValue is any string representing an attribute value.

6.4.5.1.1 Example with USERDN bind type

The following associates the userattr keyword with a bind based on the user DN:

userattr = "manager#USERDN"

The bind rule is evaluated to be true if the bind DN matches the value of the manager attribute in

the targeted entry. You can use this to allow a user's manager to modify employees' attributes.

This mechanism only works if the manager attribute in the targeted entry is expressed as a full

DN.

The following example grants a manager full access to his or her employees' entries:

aci: (target="ldap:///dc=example,dc=com")(targetattr=*)

(version 3.0; acl "manager-write"; allow (all) userattr = "manager#USERDN";)

6.4.5.1.2 Example with GROUPDN bind type

The following associates the userattr keyword with a bind based on a group DN:

userattr = "owner#GROUPDN"

The bind rule is evaluated to be true if the bind DN is a member of the group specified in the

owner attribute of the targeted entry. For example, you can use this mechanism to allow a group

to manage employees' status information. You can use an attribute other than owner as long as

the attribute you use contains the DN of a group entry.

The group you point to can be a dynamic group, and the DN of the group can be under any suffix

in the database. However, the evaluation of this type of ACI by the server is very resource intensive.

If you are using static groups that are under the same suffix as the targeted entry, you can use the

following expression:

userattr = "ldap:///dc=example,dc=com?owner#GROUPDN"

In this example, the group entry is under the dc=example,dc=com suffix. The server can process

this type of syntax more quickly than the previous example.

248 Managing Access Control