Page created: 6 Nov 2019
|
Page updated: 25 Mar 2020
keyword [=||!= ] expression;
Multiple bind rules can be combined using Boolean operations (AND, OR, NOT) for more
access control precision. The standard Boolean rules for evaluation apply: innermost to
outer parentheses first, left to right expressions, NOT before AND or OR. For example,
an ACI that includes the following bind rule targets all users who are not
uid=admin,dc=example,dc=com and use simple
authentication.
(userdn!="ldap:///uid=admin,dc=example,dc=com" and authmethod="simple");
The following bind rule targets the uid=admin,dc=example,dc=com and authenticates using SASL EXTERNAL or accesses the server from a loopback interface.
(userdn="ldap:///uid=admin,dc=example,dc=com and (authmethod="SSL" or ip="127.0.0.1"));
The following keywords are supported for use in the bind rule portion of ACIs:
Bind Rule Keyword | Description |
---|---|
authmethod | Indicates that the requester’s authentication method should be taken
into account when determining whether the access control rule should
apply to an operation. Wildcards are not allowed in this expression. The
keyword’s syntax is as follows: authmethod = methodwhere method is one of the following representations:
The following example allows users who authenticate with an SSL/TLS
certificate (for example., via SASL EXTERNAL) to update their own
entries:
aci: (targetattr="*") (version 3.0; acl "Allow users to update their own entries"; allow (write) (userdn="ldap:///self" and authmethod="ssl");) |
dayofweek | Indicates that the day of the week should be taken into account when
determining whether the access control rule should apply to an operation.
Wildcards are not allowed in this expression. Multiple day of week values
may be separated by commas. The keyword’s syntax is as follows:dayofweek = day1, day2, ...where day is one of the following representations:
The following example allows users who authenticate with an SSL/TLS
certificate (for example., via SASL EXTERNAL) on weekdays to update
their own
entries:
aci: (targetattr="*") (version 3.0; acl "Allow users to update their own entries"; allow (write) (dayofweek!="sun,sat" and userdn="ldap:///self" and authmethod="ssl");) |
dns | Indicates that the requester’s DNS-resolvable host name should be taken into
account when determining whether the access control rule should apply to an
operation. Wildcards are allowed in this expression. Multiple DNS patterns may be
separated by commas. The keyword’s syntax is as follows:dns = dns-host-name The following example allows users on host name
server.example.com to update their own
entries:aci: (targetattr="*") (version 3.0; acl "Allow users to update their own entries"; allow (write) (dns="server.example.com" and userdn="ldap:///self");) |
groupdn | Indicates that the requester’s group membership should be taken into account
when determining whether the access control rule should apply to any operation.
Wildcards are not allowed in this expression.groupdn [ = || != ] "ldap:///groupdn [ || ldap:///groupdn ] ..." The following example allows users in the managers group to update their
own
entries:
aci: (targetattr="*") (version 3.0; acl "Allow users to update their own entries"; allow (write) (groupdn="ldap:///cn=managers,ou=groups,dc=example,dc=com");) |
ip | Indicates that the requester’s IP address should be taken into account when
determining whether the access control rule should apply to an operation.
Wildcards are allowed in this expression. Multiple IP address patterns may be
separated by commas. The keyword’s syntax is as
follows:ip [ = || != ] ipAddressListwhere ipAddressList is one of the following representations:
The following example allows users on 10.130.10.2 and localhost to update their own
entries:
aci: (targetattr="*") (version 3.0; acl "Allow users to update their own entries"; allow (write) (ip="10.130.10.2,127.0.0.1" and userdn="ldap:///self");) |
oauthscope | Indicates that the scopes associated with any OAuth 2.0 access token
presented by a SCIMv2 client should be taken into account when
determining whether the access control rule should apply to an operation.
The keyword’s syntax is as follows:
oauthscope [ = || != ] "scopeIdentifier"where scopeIdentifier is one of the following:
The following example will grant all rights to any client
that presented an OAuth 2.0 token that is associated with the
“scim_admin”
scope:
aci: (targetattr="*") (version 3.0; acl "Full rights for users with the scim_admin OAuth 2.0 scope"; allow (all) oauthscope="scim_admin";) |
timeofday | Indicates that the time of day should be taken into account when determining
whether the access control rule should apply to an operation. Wildcards are not
allowed in this expression. The keyword’s syntax is as
follows:timeofday [ = || != || >= || > || <= || < ] timewhere time is one of the following representations:
The following example allows users to update their own entries if the request is received before
12 noon.
aci: (targetattr="*") (version 3.0; acl "Allow users who authenticate before noon to update their own entries"; allow (write) (timeofday<1200 and userdn="ldap:///self" and authmethod="simple");) |
oauthscope | Indicates that the scopes associated with any OAuth 2.0 access token presented by a SCIMv2
client should be taken into account when determining whether the access
control rule should apply to an operation. The keyword’s syntax is as
follows:oauthscope [ = || != ] "scopeIdentifier"where scopeIdentifier is one of the following:
aci: (targetattr="*") (version 3.0; acl "Full rights for users with the scim_admin OAuth 2.0 scope"; allow (all) oauthscope="scim_admin";) |
userattr | Indicates that the requester’s relation to the value of the specified
attribute should be taken into account when determining whether the access control
rule should apply to an operation. A bindType value of USERDN
indicates that the target attribute should have a value which matches the DN of
the authenticated user. A bindType value of GROUPDN indicates
that the target attribute should have a value which matches the DN of a group in
which the authenticated user is a member. A bindType value of
LDAPURL indicates that the target attribute should have a value
that is an LDAP URL whose criteria matches the entry for the authenticated user.
Any value other than USERDN , GROUPDN , or
LDAPURL is expected to be present in the target attribute of
the authenticated user’s entry. The keyword’s syntax is as follows:userattr = attrName# [ bindType || attrValue ]where:
The following example allows a manager to change employee's entries.
If the bind DN is specified in the manager attribute of the targeted
entry, the bind rule is evaluated to TRUE.
aci: (targetattr="*") (version 3.0; acl "Allow a manager to change employee entries"; allow (write) userattr="manager#USERDN";) The
following example allows any member of a group to change employee's entries. If
the bind DN is a member of the group specified in the allowEditors
attribute of the targeted entry, the bind rule is evaluated to TRUE.
aci: (targetattr="*") (version 3.0; acl "Allow allowEditors to change employee entries"; allow (write) userattr="allowEditors#GROUPDN";) The
following example allows a user's manager to edit that user's entry and
any entries below the user's entry up to two levels deep. You can specify up to
five levels (0, 1, 2, 3, 4) below the targeted entry, with zero (0) indicating
the targeted entry.
aci: (targetattr="*") (version 3.0; acl "Allow managers to change employees entries two levels below"; allow (write) userattr="parent[0,1,2].manager#USERDN";) The
following example allows any member of the engineering department to update any
other member of the engineering department at or below the specified ACI.
aci: (targetattr="*") (version 3.0; acl "Allow any member of Eng Dept to update any other member of the enginering department at or below the ACI"; allow (write) userattr="department#ENGINEERING";) The
following example allows an entry to be updated by any user whose entry matches
the criteria defined in the LDAP URL contained in the
allowedEditorCriteria attribute of the target entry.
aci: (targetattr="*") (version 3.0; acl "Allow a user that matches the filter to change entries"; allow (write) userattr="allowedEditorCriteria#LDAPURL";) |
userdn | Indicates that the user’s DN should be taken into account when determining
whether the access control rule should apply to an operation. The keyword’s syntax
is as
follows:userdn [ = || != ] "ldap:///value [ || "ldap:///value ..."]where value is one of the following representations:
If the value provided is a DN, then that DN may include wildcard characters to define patterns. A single asterisk will match any content within the associated DN component, and two consecutive asterisks may be used to match zero or more DN components. The following example allows users to update
their own
entries:
aci: (targetattr="*") (version 3.0; acl "Allow users to update their own entries"; allow (write) userdn="ldap:///self";) |