The Directory Server supports the use of parameterized ACIs to control access to subtrees with homogenous administrative group or user patterns, which can be used in multi-tenant deployments. A single parameterized ACI can take the place of specifying identical ACIs on each tenant’s subtree. For example, the following parameterized ACI:
(target="ldap:///o=($1),dc=example,dc=com")(version 3.0; acl \
"Subtree Admin Group members may search for and read entries in their subtree."; allow \
(search, read) groupdn="ldap:///cn=Subtree Admin Group,ou=groups,o=($1),dc=example,dc=com";)
- Members of a group with DN "cn=Subtree Admin Group,ou=groups,o=Customers, dc=example,dc=com" to search for and read entries in the "o=Customers, dc=example,dc=com" subtree.
- Members of a group with DN "cn=Subtree Admin Group,ou=groups,o=Partners, dc=example,dc=com" to search for and read entries in the "o=Partners, dc=example,dc=com" subtree
The same access is granted for any substitution value for the ($1) parameter variable. If an operation tried to read the uid=user.1,o=acme,dc=example,dc=com entry, this ACI would be considered. This ACI would allow a read action, if the operation's user is a member of the cn=Subtree Admin Group,ou=groups,o=acme,dc=example,dc=com group.
- an open parenthesis
- a dollar sign
- a positive integer
- a closing parenthesis
"population=($2),ou=Populations,environment=($1),ou=Environments,o=Acme"
The
($2) variable is the population ID in the DN of the target entry,
and ($1) is the environment ID in the DN of the target entry. Those
values from the target entry's DN are then substituted into the group DN or user DN
value.Parameter variables present in a parameterized ACI's target will be associated with the actual values from the resource DN. Each actual value will be substituted for its respective parameter variable in the ACI's target, and group bind rule DNs when performing access control on the resource entry. Parameter variables can be used in multiple RDNs in a parameterized target. A given RDN may have at most one parameter variable as its attribute value, and a given parameter variable may appear only once in the parameterized target.
- ou=($1),dc=example,dc=com
- population=($2),ou=Populations,environment=($1),ou=Environments,o=Acme
- o=($1) (for a global ACI)
- They may not be pattern ACIs. That is, they may not contain wildcards ('*').
- RDNs that are parameterized must be single-valued. For example, a given parameterized RDN may not consist of two or more type-value pairs joined by '+'.