HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
(targetattr = "attribute1 || attribute2 ...|| attributen")
attributeX is the name of the targeted attribute. For example, this targets the common name
(cn) attribute:
(targetattr = "cn")
To target an entry's common name, surname, and UID attributes, use the following:
(targetattr = "cn || sn || uid")
The attributes specified in the targetattr keyword apply to the entry that the ACI is targeting
and to all the entries below it. If you target the password attribute on the entry
uid=bjensen,ou=Marketing,dc=example,dc=com, only the password attribute on the
bjensen entry is affected by the ACI because it is a leaf entry.
If, however, you target the tree's branch point ou=Marketing,dc=example,dc=com, then all
the entries beneath the branch point that can contain a password attribute are affected by the ACI.
6.3.2.3 Targeting both an entry and attributes
By default, the entry targeted by an ACI containing a targetattr keyword is the entry on which
the ACI is placed. That is, putting an ACI such as aci: (targetattr =
"uid")(access_control_rules;) on the ou=Marketing,dc=example,dc=com entry
means that the ACI applies to the entire Marketing subtree. However, you can also explicitly
specify a target using the target keyword:
aci: (target="ldap:///ou=Marketing,dc=example,dc=com")(targetattr="uid")(access_control_rules;)
The order in which you specify the target and the targetattr keywords is not important.
6.3.2.4 Targeting entries or attributes using LDAP filters
You can use LDAP filters to target a group of entries that match certain criteria. To do this, you
must use the targetfilter keyword with an LDAP filter. The syntax of the targetfilter
keyword is as follows:
(targetfilter = "LDAP_filter")
LDAP_filter is a standard LDAP search filter. For more information on the syntax of LDAP search
filters, see “Finding Directory Entries” (page 555).
For example, suppose that all entries in the accounting department include the attribute-value pair
ou=accounting, and all entries in the engineering department include the attribute-value pair
ou=engineering subtree. The following filter targets all the entries in the accounting and
engineering branches of the directory tree:
(targetfilter = "(|(ou=accounting)(ou=engineering))")
This type of filter targets whole entries. You can associate the targetfilter and the targetattr
keywords to create ACIs that apply to a subset of attributes in the targeted entries.
The following LDIF example allows members of the Engineering Admins group to modify the
departmentNumber and manager attributes of all entries in the Engineering business category.
This example uses LDAP filtering to select all entries with businessCategory attributes set to
Engineering:
dn: dc=example,dc=com
objectClass: top
objectClass: organization
aci: (targetattr="departmentNumber || manager")
(targetfilter="(businessCategory=Engineering)")
(version 3.0; acl "eng-admins-write"; allow (write)
groupdn ="ldap:///cn=Engineering Admins, dc=example,dc=com";)
238 Managing Access Control