The targetscope
keyword is used to restrict the scope of an access control
rule. By default, ACIs use a subtree scope, which means that they are applied to the target
entry (either as defined by the target clause of the ACI, or the entry in which the ACI is
define if it does not include a target), and all entries below it. However, adding the
targetscope
element into an access control rule can restrict the set of
entries to which it applies.
targetscope
keyword values are allowed:- base. Indicates that the access control rule should apply only to the target entry and not to any of its subordinates.
- onelevel. Indicates that the access control rule should apply only to entries that are the immediate children of the target entry and not to the target entry itself, nor to any subordinates of the immediate children of the target entry.
-
subtree. Indicates that the access control rule should apply to the target
entry and all of its subordinates. This is the default behavior if no
targetscope
is specified. - subordinate. Indicates that the access control rule should apply to all entries below the target entry but not the target entry itself.
The following ACI targets all users to view the operational attributes
(supportedControl
, supportedExtension
,
supportedFeatures
, supportedSASLMechanisms
,
vendorName
, and vendorVersion
) present in the root DSE
entry. The targetscope
is base to limit users to view only those attributes
in the root DSE.
aci: (target="ldap:///")(targetscope="base") (targetattr="supportedControl||supportedExtension|| supportedFeatures||supportedSASLMechanisms||vendorName||vendorVersion") (version 3.0; acl "Allow users to view Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone")