The target keyword specifies that an ACI is defined for a directory entry. The target keyword uses the following syntax:
(target = "distinguished_name")
or
(target != "distinguished_name")
The distinguished name must be in the subtree rooted at the entry where the ACI is defined. For example, the following target may be used in an ACI on ou=People,dc=example,dc=com:
(target = "ldap:///uid=bjensen,ou=People,dc=example,dc=com") |
The DN of the entry must be a distinguished name in string representation (RFC 4514). Therefore, characters that are syntactically significant for a DN, such as commas, must be escaped with a single backslash (\).
Wild cards, show as asterisk characters can be used in the expression for the target keyword. The asterisk matches an attribute value, a substring of a value, or a DN component. For example, all of the following expressions match uid=bjensen,ou=people,dc=example,dc=com.
target= "ldap:///uid=bj*,ou=people,dc=example,dc=com"
target= "ldap:///uid=*,ou=people,dc=example,dc=com"
target= "ldap:///*,ou=people,dc=example,dc=com"
target= "ldap:///uid=bjensen,*,dc=com"
target= "ldap:///uid=bjensen*"
The following further examples show permitted uses of wild cards.
target="ldap:///uid=*,dc=example,dc=com"
This target matches every entry in the entire example.com tree that has the UID attribute in the entry's RDN.
target="ldap:///*Anderson,ou=People,dc=example,dc=com"
This target matches every entry in the ou=People branch whose RDN ends with Anderson, regardless of the naming attribute.
target="ldap:///uid=*,ou=*,dc=example,dc=com"
This target matches every entry in the example.com tree whose distinguished name contains the uid and ou attributes.
Other usage of wild cards to such as target="ldap:///uid=bjensen,o*,dc=com" might be accepted, but are deprecated.