HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

281

282

283

284

285

286

287

288

289

290

In this example, the number of ACIs is reduced from four to one. The real benefit is a factor of how

many repeating patterns you have down and across your directory tree.

6.10.2 Macro ACI syntax

Macro ACIs include the following types of expressions to replace a DN or part of a DN:

• ($dn)

• [$dn]

• ($attr.attrName), where attrName represents an attribute contained in the target entry

In this section, the ACI keywords used to provide bind credentials, such as userdn, roledn,

groupdn, and userattr, are collectively called the subject, as opposed to the target, of the

ACI. Macro ACIs can be used in the target part or the subject part of an ACI.

Table 31 (page 287) shows in what parts of the ACI you can use DN macros:

Table 31 Macros in ACI keywords

ACI KeywordMacro

target, targetfilter, userdn, roledn, groupdn, userattr($dn)

targetfilter, userdn, roledn, groupdn, userattr[$dn]

userdn, roledn, groupdn, userattr($attr.attrName)

The following restrictions apply:

• If you use ($dn) in targetfilter,userdn, roledn, groupdn,userattr, you must

define a target that contains ($dn).

• If you use [$dn] in targetfilter, userdn, roledn, groupdn, userattr, you must

define a target that contains ($dn).

NOTE:

When using any macro, you always need a target definition that contains the ($dn) macro.

You can combine the ($dn) macro and the ($attr.attrName) macro.

6.10.2.1 Macro matching for ($dn)

The ($dn) macro is replaced by the matching part of the resource targeted in an LDAP request.

For example, you have an LDAP request targeted at the cn=all,

ou=groups,dc=subdomain1,dc=hostedCompany1,dc=example,dc=com entry and an

ACI that defines the target as follows:

(target="ldap:///ou=Groups,($dn),dc=example,dc=com")

The ($dn) macro matches with dc=subdomain1, dc=hostedCompany1.

When the subject of the ACI also uses ($dn), the substring that matches the target is used to

expand the subject. For example:

aci: (target="ldap:///ou=*,($dn),dc=example,dc=com")

(targetattr = "*") (version 3.0; acl "Domain access"; allow (read,search)

groupdn="ldap:///cn=DomainAdmins,ou=Groups,($dn),dc=example,dc=com";)

In this case, if the string matching ($dn) in the target is dc=subdomain1,

dc=hostedCompany1, then the same string is used in the subject. The ACI is then expanded as

follows:

aci: (target="ldap:///ou=Groups,dc=subdomain1,dc=hostedCompany1,

dc=example,dc=com") (targetattr = "*") (version 3.0; acl "Domain

access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,

dc=subdomain1,dc=hostedCompany1,dc=example,dc=com";)

6.10 Advanced access control: Using macro ACIs 287