The target keyword indicates that the ACI should apply to one or more entries at or below the specified distinguished name (DN). The target DN must be equal or subordinate to the DN of the entry in which the ACI is placed. For example, if you place the ACI at the root of ou=People,dc=example,dc=com, you can target the DN, uid=user.1,ou=People,dc=example,dc=com within your ACI rule. The DN must meet the string representation specification of distinguished names, outlined in RFC 4514, and requires that special characters be properly escaped.

The target clause has the following format, where DN is the distinguished name of the entry or branch:

(target = ldap:///

For example, to target a specific entry, you would use a clause such as the following:

(target = ldap:///uid=john.doe,ou=People,dc=example,dc=com)

Note that, in general, specifying a target DN is not recommended. It is better to have the ACI defined in that entry and omit the target element altogether. For example, although you can have (target="ldap:///uid=john.doe,ou=People,dc=example,dc=com) in any of the dc=example,dc=com or ou=People entries, it is better for it to be defined in the uid=john.doe entry and not explicitly include the target element.

The expression allows for the "not equal" (!=) operator to indicate that all entries within the scope of the given branch that do NOT match the expression be targeted for the ACI. Thus, the following expression targets all entries within the subtree that do not match uid=john.doe.

(target != ldap:///uid=john.doe,ou=People,dc=example,dc=com)

The target keyword also supports the use of asterisk (*) characters as wildcards to match elements within the distinguished name. The following target expression matches all entries that contains and begins with "john.d, " so that entries like "john.doe,ou=People,dc=example,dc=com," and "john.davies,ou=People,dc=example,dc=com" would match.

(target = ldap:///uid=john.d*,ou=People,dc=example,dc=com)

The following target expression matches all entries whose DN begins with "john.d," and matches the ou attribute. Entries like "john.doe,ou=People,dc=example,dc=com," and "john.davies,ou=asia-branch,dc=example,dc=com" would match.

(target = ldap:///uid=john.d*,ou=*,dc=example,dc=com)

Another example of a complete ACI targets the entries in the ou=People,dc=example,dc=com branch and the entries below it, and grants the users the privilege to modify all of their user attributes within their own entries.

  (version 3.0; acl "Allow all the ou=People branch to modify their own entries"; 
  allow (write) userdn="ldap:///self";)