HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

241

242

243

244

245

246

247

248

249

250

(By default, owner is not an allowed entry in a user's entry. You would have to extend your schema

to allow this attribute in a person object.)

6.4.5.1.3 Example with ROLEDN bind type

The following associates the userattr keyword with a bind based on a role DN:

userattr = "exampleEmployeeReportsTo#ROLEDN"

The bind rule is evaluated to be true if the bind DN belongs to the role specified in the

exampleEmployeeReportsTo attribute of the targeted entry. For example, if you create a nested

role for all managers in your company, you can use this mechanism to grant managers at all levels

access to information about employees that are at a lower grade than themselves.

NOTE:

This example assumes that you have added the exampleEmployeeReportsToattribute to

the schema and that all employee entries contain this attribute. It also assumes that the value of

this attribute is the DN of a role entry. For information on adding attributes to the schema, see

“Creating attributes” (page 433).

The DN of the role can be under any suffix in the database. If you are also using filtered roles, the

evaluation of this type of ACI uses a lot of resources on the server.

If you are using a static role definition and the role entry is under the same suffix as the targeted

entry, you can use the following expression:

userattr = "ldap:///dc=example,dc=com?employeeReportsTo#ROLEDN"

In this example, the role entry is under the dc=example,dc=com suffix. The server can process

this type of syntax more quickly than the previous example.

6.4.5.1.4 Example with LDAPURL bind type

The following associates the userattr keyword with a bind based on an LDAP filter:

userattr = "myfilter#LDAPURL

The bind rule is evaluated to be true if the bind DN matches the filter specified in the myfilter

attribute of the targeted entry. The myfilter attribute can be replaced by any attribute that

contains an LDAP filter.

6.4.5.1.5 Example with any attribute value

The following associates the userattr keyword with a bind based on any attribute value:

userattr = "favoriteDrink#Beer"

The bind rule is evaluated to be true if the bind DN and the target DN include the favoriteDrink

attribute with a value of Beer.

6.4.5.1.6 Using the userattr keyword with inheritance

When you use the userattr keyword to associate the entry used to bind with the target entry,

the ACI applies only to the target specified and not to the entries below it. In some circumstances,

you might want to extend the application of the ACI several levels below the targeted entry. This

is possible by using the parent keyword and specifying the number of levels below the target that

should inherit the ACI.

When you use the userattr keyword in association with the parent keyword, the syntax is as

follows:

userattr = "parent[inheritance_level].attrName#bindType

Using an attribute type that requires a value other than a user DN, group DN, role DN, or an LDAP

filter, the syntax is as follows:

6.4 Bind rules 249