Use the targetscope
keyword to restrict the scope of an access
control rule (ACR).
ACIs use a subtree scope by default, meaning they are applied to the target entry and
all entries below it, either as defined by the target clause of the ACI or the entry in
which the ACI is defined if it does not include a target. However, you can add the
targetscope
element into an ACR to restrict the set of entries to
which it applies.
The following targetscope
keyword values are allowed:
- base
- Indicates that the ACR applies only to the target entry and not to any of its subordinates.
- onelevel
- Indicates that the ACR applies only to entries that are immediate children of the target entry and not to the target entry itself nor to any subordinates of the immediate children of the target entry.
- subtree
- Indicates that the ACR applies to the target entry and all of its subordinates.
This is the default behavior if no
targetscope
is specified. - subordinate
- Indicates that the ACR applies to all entries below the target entry but not the target entry itself.
The following ACI targets all users to view the operational attributes present in the root DSA-specific entry (DSE):
supportedControl
supportedExtension
supportedFeatures
supportedSASLMechanisms
vendorName
vendorVersion
In the following example, targetscope
is set to base
to limit users to view only those attributes in the root DSE.
aci: (target="ldap:///")(targetscope="base")
(targetattr="supportedControl||supportedExtension||
supportedFeatures||supportedSASLMechanisms||vendorName||vendorVersion")
(version 3.0; acl "Allow users to view Root DSE Operational Attributes";
allow (read,search,compare) userdn="ldap:///anyone")