An ACI target statement specifies the entry, attributes, or set of entries and attributes for which you want to control access.
An ACI target statement has this syntax:
(keyword = "expression")
The following values are used in the target.
Indicates the type of target.
Identifies the target. The quotation marks ("") around expression are syntactically required, although the current implementation accepts expressions like targetattr=*.
Indicates that the target is or is not the object specified in the expression.
The != operator cannot be used with the targettrfilters keyword or the targetscope keyword.
For a description of target keywords, see the following sections:
The following table lists the target keywords and their associated expressions.
Table 2–1 Target Keywords and Their Expressions
Keyword |
Type of target |
Expression |
---|---|---|
target |
A directory entry or its subtree |
ldap:///distinguished_name |
targetattr |
The attributes of an entry |
attribute |
targetfilter |
A set of entries or attributes that match an LDAP filter |
LDAP_filter |
targattrfilters |
An attribute value or combination of values that match an LDAP filter |
LDAP_operation:LDAP_filter |
targetScope |
The scope of the target |
base, onelevel, subtree |
The target keyword specifies that an ACI is defined for a directory entry. The target keyword uses the following syntax:
(target = "distinguished_name")
or
(target != "distinguished_name")
The distinguished name must be in the subtree rooted at the entry where the ACI is defined. For example, the following target may be used in an ACI on ou=People,dc=example,dc=com:
(target = "ldap:///uid=bjensen,ou=People,dc=example,dc=com") |
The DN of the entry must be a distinguished name in string representation (RFC 4514). Therefore, characters that are syntactically significant for a DN, such as commas, must be escaped with a single backslash (\).
Wild cards, show as asterisk characters can be used in the expression for the target keyword. The asterisk matches an attribute value, a substring of a value, or a DN component. For example, all of the following expressions match uid=bjensen,ou=people,dc=example,dc=com.
target= "ldap:///uid=bj*,ou=people,dc=example,dc=com"
target= "ldap:///uid=*,ou=people,dc=example,dc=com"
target= "ldap:///*,ou=people,dc=example,dc=com"
target= "ldap:///uid=bjensen,*,dc=com"
target= "ldap:///uid=bjensen*"
The following further examples show permitted uses of wild cards.
target="ldap:///uid=*,dc=example,dc=com"
This target matches every entry in the entire example.com tree that has the UID attribute in the entry's RDN.
target="ldap:///*Anderson,ou=People,dc=example,dc=com"
This target matches every entry in the ou=People branch whose RDN ends with Anderson, regardless of the naming attribute.
target="ldap:///uid=*,ou=*,dc=example,dc=com"
This target matches every entry in the example.com tree whose distinguished name contains the uid and ou attributes.
Other usage of wild cards to such as target="ldap:///uid=bjensen,o*,dc=com" might be accepted, but are deprecated.
The targetattr keyword specifies that an ACI is defined for one or more attributes in the targeted entries. The targetattr keyword uses the following syntax:
(targetattr = "attribute") |
or
(targetattr != "attribute") |
If no targetattr keyword is present, no attributes are targeted. To target all attributes, the targetattr keyword must be targetattr="*".
Targeted attributes do not need to exist on the target entry or its subtree, but the ACI applies whenever they do.
Targeted attributes do not need to be defined in the schema. The absence of schema checking makes it possible to implement an access control policy before importing data and its schema.
The targetattr keyword can be used for multiple attributes, by using this syntax:
(targetattr = "attribute1 || attribute2|| ... attributeN") |
If you configure attribute aliases, you must specify both the attribute name and the alias in the targetattr keyword for the ACI to take them into account.
Targeted attributes include all subtypes of the named attribute. For example, (targetattr = "locality") also targets locality;lang-fr.
Wild cards can be used in the expression for the targetattr keyword, but the use of wild cards would serve no purpose and may reduce performance.
The targetfilter keyword is used in ACIs to target entries that match an LDAP filter. The ACI applies to all entries that match the LDAP filter and that are in the scope of the ACI. The targetfilter keyword uses the following syntax:
(targetfilter = "(standard LDAP search filter)") |
The following example is for employees with a status of salaried or contractor, and an attribute for the number of hours worked as a percentage of a full-time position. The filter targets entries for contractors or part-time employees:
(targetfilter = "(|(status=contractor)(fulltime<=79))") |
The Netscape extended filter syntax is not supported in ACIs. For example, the following target filter is not valid:
(targetfilter = "(locality:fr:=<= Québec)") |
The filter syntax that describes matching rules for internationalized values is supported. For example, the following target filter is valid:
(targetfilter = "(locality:2.16.840.1.113730.3.3.2.18.1.4:=Québec)") |
The targetfilter keyword selects whole entries as targets of the ACI. The targetfilter keyword and the targetattr keyword can be used together to create ACIs that apply to a subset of attributes in the targeted entries.
The targattrfilters keyword is used in ACIs to target specific attribute values by using LDAP filters. By using the targattrfilters keyword, you can grant or deny permissions on an attribute if that attribute's value meets the criteria defined in the ACI. An ACI that grants or denies access based on an attribute's value, is called a value-based ACI. The targattrfilters keyword uses this syntax:
(targattrfilters="add=attr1:F1 && attr2:F2... && attrn:Fn, \ del=attr1:F1 && attr2:F2 ... && attrn:Fn") |
where
represents the operation of creating an attribute.
represents the operation of deleting an attribute.
represents the target attributes.
represents filters that apply only to the associated attribute.
The following conditions must be met when filters apply to entries, and those entries are created, deleted or modified:
When an entry is created or deleted, each instance of that attribute must satisfy the filter.
When an entry is modified, if the operation adds an attribute, then the add filter that applies to that attribute must be satisfied; if the operation deletes an attribute, then the delete filter that applies to that attribute must be satisfied.
If individual values of an attribute already present in the entry are replaced, then the add and delete filters must be satisfied.
The following ACI allows users to add any role to their own entry, except the superAdmin role. It also allows users to add a telephone number with a 123 prefix.
(targattrfilters="add=nsroleDN:(!(nsRoleDN=cn=superAdmin)) \ && telephoneNumber:(telephoneNumber=123*)")
The targetScope keyword is used in ACIs to specify the scope of the ACI. The targetScope keyword uses this syntax:
(targetScope="base")
The targetScope keyword can have one of these values:
The ACI applies to the target resource only
The ACI applies to the target resource and its first-generation children
The ACI applies to the target resource and its subtree
If the targetScope keyword is not specified, the default value is subtree.