A distinguished name (DN) is a sequence of relative distinguished names (RDNs), separated by a comma, for example o=XYZ, c=US. When you have to specify a DN in the Admin Console, you can type it directly into the field supplied, or you can construct it using the Distinguished Name Editor.
To start the DN Editor, from the LDAP Property Book click:
AdminConsole>LDAP Property Book>SUN Directory Services>Create pulldown>Access Control>Selected entries>DN-based regular expression>Distinguished name>Set
The DN Editor dialog box is displayed, as shown in FIGURE 6-13.
To edit a distinguished name, use the Previous and Next buttons to position the cursor where you want to insert an RDN, or select the existing RDN you want to replace. Select the attribute type for the RDN, and type the value in the RDN value field. If you are creating a new DN, click the Add RDN button. If you are modifying an existing RDN, this button is replaced by a Modify RDN button. Click Apply to save the new DN, and click Cancel to close the DN Editor dialog box.
You can specify a DN that contains a regular expression, to indicate a set of entries. This is useful when configuring access control, for example, but not when specifying a naming context. The Admin Console does not prevent you from entering a regular expression in any DN, but you should use wildcards only where it is appropriate.
You can specify a set of entries using a regular expression. See the regex(1F) manpage for information about regular expressions.
You can specify a regular expression for the distinguished name of an entry. For example, the regular expression dn="cn=Joe Smith, ou=.*, o=XYZ, c=US" specifies the set of entries for people called Joe Smith in the whole of the XYZ Corporation. DN-based regular expressions are useful when defining access controls.
You can also use a DN-based regular expression to specify a set of values for an attribute whose values are DNs. For example, you can grant write access to a distribution list entry to any person whose DN is a value of the member attribute, using the regular expression member="dn=.*".
An LDAP filter is a way of specifying a set of entries, based on the presence of a particular attribute or attribute value. You can use an LDAP filter in an access control rule. For example, the default access control rules include a filter specifying that users can add their own Distinguished Names to the member attribute of any entry that contains the attribute joinable with a value of TRUE. This allows users to add or remove their names from distribution lists.
The Admin Console includes a Filter Editor for building or modifying filters. To start the Filter Editor:
AdminConsole>SUN Directory Services>Create pulldown>Access Control>Selected Entries>LDAP Filter>Set
The Filter Editor dialog box is displayed, as shown in FIGURE 6-14.
The Current Filter field shows the filter you are modifying, or the current state of the filter you are creating. To add an expression to a filter:
| 1. | Select the attribute from the list displayed. |
| 2. | Type a value in the Value field. |
| 3. | Select a match type from the pull-down menu. |
| 4. | Click AND, OR, or NOT, to indicate how this expression is used in the filter. |
| 5. | Click Add Expression to add the expression to the filter. |