HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
After the macro has been expanded, Directory Server evaluates the ACI following the normal
process to determine whether access is granted.
6.10.2.2 Macro matching for [$dn]
The matching mechanism for [$dn] is slightly different than for ($dn). The DN of the targeted
resource is examined several times, each time dropping the leftmost RDN component, until a match
is found.
For example, you have an LDAP request targeted at the cn=all,ou=groups,
dc=subdomain1,dc=hostedCompany1,dc=example,dc=com subtree and the following
ACI:
aci: (target="ldap:///ou=Groups,($dn),dc=example,dc=com")
(targetattr = "*") (version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)
The steps for expanding this ACI are as follows:
1. ($dn) in the target matches dc=subdomain1,dc=hostedCompany1.
2. [$dn] in the subject is replaces with dc=subdomain1,dc=hostedCompany1.
The result is groupdn="ldap:///cn=DomainAdmins,ou=Groups,
dc=subdomain1,dc=hostedCompany1,dc=example,dc=com". If the bind DN is a
member of that group, the matching process stops, and the ACI is evaluated. If it does not
match, the process continues.
3. [$dn] in the subject is replaced with dc=hostedCompany1.
The result is groupdn="ldap:///cn=DomainAdmins,ou=Groups,
dc=hostedCompany1,dc=example,dc=com". In this case, if the bind DN is not a member
of that group, the ACI is not evaluated. If it is a member, the ACI is evaluated.
The advantage of the [$dn] macro is that it provides a flexible way of granting access to
domain-level administrators to all the subdomains in the directory tree. Therefore, it is useful for
expressing a hierarchical relationship between domains.
For example, consider the following ACI:
aci: (target="ldap:///ou=*, ($dn),dc=example,dc=com")
(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain access"; allow (read,search)
groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)
It grants access to the members of cn=DomainAdmins,ou=Groups,
dc=hostedCompany1,dc=example,dc=com to all the subdomains under
dc=hostedCompany1, so an administrator belonging to that group could access a subtree like
ou=people, dc=subdomain1.1, dc=subdomain1.
However, at the same time, members of cn=DomainAdmins,ou=Groups, dc=subdomain1.1
would be denied access to the ou=people,dc=hostedCompany1 and
ou=people,dc=hostedCompany1 nodes.
6.10.2.3 Macro matching for ($attr.attrName)
The ($attr.attrName) macro is always used in the subject part of a DN. For example, define
the following roledn:
roledn = "ldap:///cn=DomainAdmins,($attr.ou)"
Now, assume the server receives an LDAP operation targeted at the following entry:
dn: cn=Jane Doe, ou=People, dc=HostedCompany1, dc=example,dc=com
cn: Jane Doe
sn: Doe
ou: Engineering, dc=HostedCompany1, dc=example,dc=com
...
288 Managing Access Control