The target
keyword indicates that the ACI should apply to one or more
entries at or below the specified distinguished name (DN). The target DN must be equal or
subordinate to the DN of the entry in which the ACI is placed. For example, if you place the
ACI at the root of ou=People,dc=example,dc=com, you can target the DN,
uid=user.1,ou=People,dc=example,dc=com within your ACI rule. The DN
must meet the string representation specification of distinguished names, outlined in RFC
4514, and requires that special characters be properly escaped.
The target
clause has the following format, where DN is the distinguished
name of the entry or branch:
(target = ldap:/// DN )
For example, to target a specific entry, you would use a clause such as the following:
(target = ldap:///uid=john.doe,ou=People,dc=example,dc=com)
Note that, in general, specifying a target DN is not recommended. It is better to have the
ACI defined in that entry and omit the target
element altogether. For
example, although you can have
(target="ldap:///uid=john.doe,ou=People,dc=example,dc=com)
in any of the
dc=example,dc=com
or ou=People
entries, it is better for
it to be defined in the uid=john.doe
entry and not explicitly include the
target
element.
The expression allows for the "not equal" (!=) operator to indicate that all entries within
the scope of the given branch that do NOT match the expression be targeted for the ACI.
Thus, the following expression targets all entries within the subtree that do not match
uid=john.doe
.
(target != ldap:///uid=john.doe,ou=People,dc=example,dc=com)
The target
keyword also supports the use of asterisk (*) characters as
wildcards to match elements within the distinguished name. The following target expression
matches all entries that contains and begins with "john.d, " so that entries like
"john.doe,ou=People,dc=example,dc=com
," and
"john.davies,ou=People,dc=example,dc=com
" would match.
(target = ldap:///uid=john.d*,ou=People,dc=example,dc=com)
The following target expression matches all entries whose DN begins with "john.d," and
matches the ou
attribute. Entries like
"john.doe,ou=People,dc=example,dc=com
," and
"john.davies,ou=asia-branch,dc=example,dc=com
" would match.
(target = ldap:///uid=john.d*,ou=*,dc=example,dc=com)
Another example of a complete ACI targets the entries in the ou=People,dc=example,dc=com branch and the entries below it, and grants the users the privilege to modify all of their user attributes within their own entries.
aci:(target="ldap:///ou=People,dc=example,dc=com") (targetattr="*") (version 3.0; acl "Allow all the ou=People branch to modify their own entries"; allow (write) userdn="ldap:///self";)