The Directory Server Access Control Model
Access Control and Replication
To Target an Entry and Attributes
To Target Entries or Attributes Using LDAP Filters
To Target Attribute Values Using LDAP Filters
To Target a Single Directory Entry
To Specify the Scope of an ACI
To Target LDAP Extended Operations
Rights Required for LDAP Operations
Defining User Access (userdn Keyword)
Defining General Access (all Keyword)
Defining Anonymous Access (anyone Keyword)
Defining Self Access (self Keyword)
Defining Parent Access (parent Keyword)
Specifying Users With LDAP URLs
Specifying Users With Wildcards
Specifying Users With a Logical OR of LDAP URLs
Defining Group Access (groupdn Keyword)
Specifying a Group With a Single LDAP URL
Specifying a Group With a Logical OR of LDAP URLs
Defining Access Based on Value Matching (userattr Keyword)
Defining Access From a Specific IP Address (ip Keyword)
Defining Access From a Specific Domain (dns Keyword)
Defining Access at a Specific Time of Day or Day of Week (timeofday and dayofweek Keywords)
Defining Access Based on Authentication Method (authmethod Keyword)
Authentication Method Examples
Defining Access Based on a Connection's Security Strength Factor (ssf Keyword)
DIGEST-MD5 QOP Key Size Mapping
Compatibility With the Sun Java System Directory Server Access Control Model
Distinguished Name (DN) Wildcard Matching
Understanding the Directory Server Schema
Understanding Directory Server Plug-Ins
The all attributes targetattr rule only applies to non-operational attributes. Operational attributes must be explicitly specified in a targetattr ACI statement. This differs from Sun Java System directory server behavior, which allows the all attributes targetattr rule to apply to both operational and non-operational attributes.
It is also illegal to use a not-equal operator when an operational attribute is specified in a targetattr rule. For example, the targetattr rule below is invalid because the operational attribute aclRights is used with a not-equal operator:
(targetattr != aclRights)
Note - A non-equal operator in a targetattr rule specifying non-operational attributes is valid, but the rule is restricted to applying to other non-operational attributes only.
It is illegal to specify both operational and non-operational attributes in the same targetattr statement.
It is illegal to specify both the all attributes targetattr rule and an attribute in the same expression (for example, targetattr="cn || *").