The Bind Rules indicate whether an access control rule should apply to a given requester. The syntax for the target keyword is shown below. The keyword specifies the type of target element. The expression specifies the items that is targeted by the access control rule. The operator is either equals ("=") or not-equals ("!="). The semi-colon delimiter symbol (";") is required after the end of the final bind rule.
            
               keyword [=||!= ] expression;
         
Multiple bind rules can be combined using boolean operations (AND, OR, NOT) for more access control precision. The standard Boolean rules for evaluation apply: innermost to outer parentheses first, left to right expressions, NOT before AND or OR. For example, an ACI that includes the following bind rule targets all users who are not uid=admin,dc=example,dc=com and use simple authentication.
(userdn!="ldap:///uid=admin,dc=example,dc=com" and authmethod="simple");

The following bind rule targets the uid=admin,dc=example,dc=com and authenticates using SASL EXTERNAL or accesses the server from a loopback interface.

(userdn="ldap:///uid=admin,dc=example,dc=com and (authmethod="SSL" or ip="127.0.0.1"));

The following keywords are supported for use in the bind rule portion of ACIs:

Bind Rule Keyword Description
authmethod Indicates that the requester’s authentication method should be taken into account when determining whether the access control rule should apply to an operation. Wildcards are not allowed in this expression. The keyword’s syntax is as follows:
                                 authmethod  =  method
                              
where method is one of the following representations:
  • none
  • simple. Indicates that the client is authenticated to the server using a bind DN and password.
  • ssl. Indicates that the client is authenticated with an SSL/TLS certificate (e.g., via SASL EXTERNAL), and not just over a secure connection to the server.
  • sasl {sasl_mechanism}. Indicates that the client is authenticated to the server using a specified SASL Mechanism.
The following example allows users who authenticate with an SSL/TLS certificate (e.g., via SASL EXTERNAL) to update their own entries:
aci: (targetattr="*")
  (version 3.0; acl "Allow users to update their own entries"; 
   allow (write) (userdn="ldap:///self" and authmethod="ssl");)
dayofweek Indicates that the day of the week should be taken into account when determining whether the access control rule should apply to an operation. Wildcards are not allowed in this expression. Multiple day of week values may be separated by commas. The keyword’s syntax is as follows:
                                 dayofweek = day1, day2, ...
                              
where day is one of the following representations:
  • sun
  • mon
  • tues
  • wed
  • thu
  • fri
  • sat
The following example allows users who authenticate with an SSL/TLS certificate (e.g., via SASL EXTERNAL) on weekdays to update their own entries:
aci: (targetattr="*")
  (version 3.0; acl "Allow users to update their own entries"; 
   allow (write) (dayofweek!="sun,sat" and userdn="ldap:///self" 
   and authmethod="ssl");)
dns Indicates that the requester’s DNS-resolvable host name should be taken into account when determining whether the access control rule should apply to an operation. Wildcards are allowed in this expression. Multiple DNS patterns may be separated by commas. The keyword’s syntax is as follows:
                                 dns = dns-host-name
                              
The following example allows users on host name server.example.com to update their own entries:
aci: (targetattr="*")
  (version 3.0; acl "Allow users to update their own entries"; 
   allow (write) (dns="server.example.com" and userdn="ldap:///self");)
groupdn Indicates that the requester’s group membership should be taken into account when determining whether the access control rule should apply to any operation. Wildcards are not allowed in this expression.
                                 groupdn [ = || != ] "ldap:///groupdn [ || ldap:///groupdn ] ..."
                              
The following example allows users in the managers group to update their own entries:
aci: (targetattr="*")
  (version 3.0; acl "Allow users to update their own entries"; 
   allow (write)
   (groupdn="ldap:///cn=managers,ou=groups,dc=example,dc=com");)
ip Indicates that the requester’s IP address should be taken into account when determining whether the access control rule should apply to an operation. Wildcards are allowed in this expression. Multiple IP address patterns may be separated by commas. The keyword’s syntax is as follows:
                                 ip [ = || != ] ipAddressList
                              
where ipAddressList is one of the following representations:
  • A specific IPv4 address: 127.0.0.1
  • An IPv4 address with wildcards to specify a subnetwork: 127.0.0.*
  • An IPv4 address or subnetwork with subnetwork mask: 123.4.5.0+255.255.255.0
  • An IPv4 address range using CIDR notation: 123.4.5.0/24
  • An IPv6 address as defined by RFC 2373.
The following example allows users on 10.130.10.2 and localhost to update their own entries:
aci: (targetattr="*")
  (version 3.0; acl "Allow users to update their own entries"; 
   allow (write) (ip="10.130.10.2,127.0.0.1" and userdn="ldap:///self");)
timeofday Indicates that the time of day should be taken into account when determining whether the access control rule should apply to an operation. Wildcards are not allowed in this expression. The keyword’s syntax is as follows:
timeofday [ = || != || >= || > || <= || < ] time
where time is one of the following representations:
  • 4-digit 24-hour time format (0000 to 2359, where the first two digits represent the hour of the day and the last two represent the minute of the hour)
  • Wildcards are not allowed in this expression
The following example allows users to update their own entries if the request is received before 12 noon.
aci: (targetattr="*")
  (version 3.0; acl "Allow users who authenticate before noon 
    to update their own entries"; 
    allow (write) (timeofday<1200 and userdn="ldap:///self" 
    and authmethod="simple");)
userattr Indicates that the requester’s relation to the value of the specified attribute should be taken into account when determining whether the access control rule should apply to an operation. A bindType value of USERDN indicates that the target attribute should have a value which matches the DN of the authenticated user. A bindType value of GROUPDN indicates that the target attribute should have a value which matches the DN of a group in which the authenticated user is a member. A bindType value of LDAPURL indicates that the target attribute should have a value that is an LDAP URL whose criteria matches the entry for the authenticated user. Any value other than USERDN, GROUPDN, or LDAPURL is expected to be present in the target attribute of the authenticated user’s entry. The keyword’s syntax is as follows:
userattr = attrName# [ bindType || attrValue ]
where:
  • attrName = name of the attribute for matching
  • bindType = USERDN, GROUPDN, LDAPURL
  • attrValue = an attribute value. Note that the attrVALUE of the attribute must match on both the bind entry and the target of the ACI.
The following example allows a manager to change employee's entries. If the bind DN is specified in the manager attribute of the targeted entry, the bind rule is evaluated to TRUE.
aci: (targetattr="*")
  (version 3.0; acl "Allow a manager to change employee entries"; 
   allow (write) userattr="manager#USERDN";)
The following example allows any member of a group to change employee's entries. If the bind DN is a member of the group specified in the allowEditors attribute of the targeted entry, the bind rule is evaluated to TRUE.
aci: (targetattr="*")
  (version 3.0; acl "Allow allowEditors to change employee entries"; 
   allow (write) userattr="allowEditors#GROUPDN";)
The following example allows a user's manager to edit that user's entry and any entries below the user's entry up to two levels deep. You can specify up to five levels (0, 1, 2, 3, 4) below the targeted entry, with zero (0) indicating the targeted entry.
aci: (targetattr="*")
  (version 3.0; acl "Allow managers to change employees entries two levels below"; 
    allow (write) userattr="parent[0,1,2].manager#USERDN";)
The following example allows any member of the engineering department to update any other member of the engineering department at or below the specified ACI.
aci: (targetattr="*")
  (version 3.0; acl "Allow any member of Eng Dept to update any other member of the 
   enginering department at or below the ACI"; 
   allow (write) userattr="department#ENGINEERING";)
The following example allows an entry to be updated by any user whose entry matches the criteria defined in the LDAP URL contained in the allowedEditorCriteria attribute of the target entry.
aci: (targetattr="*")
  (version 3.0; acl "Allow a user that matches the filter to change entries"; 
   allow (write) userattr="allowedEditorCriteria#LDAPURL";)
userdn Indicates that the user’s DN should be taken into account when determining whether the access control rule should apply to an operation. The keyword’s syntax is as follows:
userdn [ = || != ] "ldap:///value [ || "ldap:///value ..."]
where value is one of the following representations:
  • The DN of the target user
  • A value of anyone to match any client, including unauthenticated clients.
  • A value of all to match any authenticated client.
  • A value of parent to match the client authenticated as the user defined in the immediate parent of the target entry.
  • A value of self to match the client authenticated as the user defined in the target entry.

If the value provided is a DN, then that DN may include wildcard characters to define patterns. A single asterisk will match any content within the associated DN component, and two consecutive asterisks may be used to match zero or more DN components.

The following example allows users to update their own entries:
aci: (targetattr="*")
  (version 3.0; acl "Allow users to update their own entries"; 
    allow (write) userdn="ldap:///self";)