targetscope keyword to restrict the scope of an access
control rule (ACR).
ACIs use a subtree scope by default, meaning they are applied to the target entry and
all entries below it, either as defined by the target clause of the ACI or the entry in
which the ACI is defined if it does not include a target. However, you can add the
targetscope element into an ACR to restrict the set of entries to
which it applies.
targetscope keyword values are allowed:
- Indicates that the ACR applies only to the target entry and not to any of its subordinates.
- Indicates that the ACR applies only to entries that are immediate children of the target entry and not to the target entry itself nor to any subordinates of the immediate children of the target entry.
- Indicates that the ACR applies to the target entry and all of its subordinates.
This is the default behavior if no
- Indicates that the ACR applies to all entries below the target entry but not the target entry itself.
The following ACI targets all users to view the operational attributes present in the root DSA-specific entry (DSE):
In the following example,
targetscope is set to
to limit users to view only those attributes in the root DSE.
aci: (target="ldap:///")(targetscope="base") (targetattr="supportedControl||supportedExtension|| supportedFeatures||supportedSASLMechanisms||vendorName||vendorVersion") (version 3.0; acl "Allow users to view Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone")