The bind rules indicate whether an access control rule should apply to a given requester.
- Keyword
- The keyword specifies the type of target element.
- Expression
- The expression specifies the items that are targeted by the access control rule.
- Operator
- The operator is either equal,
=
, or not-equal,!=
.
You must use the semicolon delimiter symbol, ;
, after the end of
the final bind rule.
keyword [=||!= ] expression;
For added access control precision, you can combine multiple bind rules using the
Boolean operations AND
, OR
, and NOT
.
The standard Boolean rules for evaluation apply:
- Innermost to outer parentheses first
- Left to right expressions
NOT
beforeAND
orOR
For example, an access control instruction (ACI) with the following bind rule targets
all users who are not uid=admin,dc=example,dc=com
and use simple
authentication.
(userdn!="ldap:///uid=admin,dc=example,dc=com" and authmethod="simple");
The following bind rule targets users that are
uid=admin,dc=example,dc=com
and authenticate using Simple
Authentication and Security Layer (SASL) EXTERNAL or access the server from a loopback
interface.
(userdn="ldap:///uid=admin,dc=example,dc=com and (authmethod="SSL" or ip="127.0.0.1"));
You can use the following keywords in the bind rule portion of ACIs.
Bind Rule Keyword | Description |
---|---|
authmethod |
Indicates that the requester’s authentication method is taken into account when determining whether the access control rule should apply to an operation. You cannot use wildcards in this expression. Use the syntax
The following example allows users who authenticate with an SSL/TLS certificate (for example, using SASL EXTERNAL) to update their own entries.
|
dayofweek |
Indicates that the day of the week is taken into account when determining whether the access control rule should apply to an operation. You cannot use wildcards in this expression. You can separate multiple day of week values by commas. Use the following syntax.
day is one of the following:
The following example allows users who authenticate on weekdays with an SSL/TLS certificate, such as SASL EXTERNAL, to update their own entries.
|
dns |
Indicates that the requester’s DNS-resolvable host name is taken into account when determining whether the access control rule should apply to an operation. You can use wildcards in this expression. You can separate multiple DNS patterns by commas. Use the following syntax.
The following example allows users on host name
|
groupdn |
Indicates that the requester’s group membership is taken into account when determining whether the access control rule should apply to any operation. You cannot use wildcards in this expression.
The following example allows users in the managers group to update their own entries.
|
ip |
Indicates that the requester’s IP address is taken into account when determining whether the access control rule should apply to an operation. You can use wildcards in this expression. You can separate multiple IP address patterns by commas. Use the following syntax.
ipAddressList is one of the following:
The following example allows users on 10.130.10.2 and localhost to update their own entries.
|
oauthscope |
Indicates that the scopes associated with any OAuth 2.0 access token presented by a SCIMv2 client is taken into account when determining whether the access control rule applies to an operation. Use the following syntax.
scopeIdentifier is one of the following:
The following example grants all rights to any client that presented an
OAuth 2.0 token that is associated with the
|
timeofday |
Indicates that the time of day is taken into account when determining whether the access control rule should apply to an operation. You cannot use wildcards in this expression. Use the following syntax.
time is one of the following:
The following example allows users to update their own entries if the request is received before 12 noon.
|
oauthscope |
Indicates that the scopes associated with any OAuth 2.0 access token presented by a SCIMv2 client is taken into account when determining whether the access control rule should apply to an operation. The keyword’s syntax is as follows:
scopeIdentifier is one of the following:
The following example grants all rights to any client that presented an
OAuth 2.0 token that is associated with the
|
userattr |
Indicates that the requester’s relation to the value of the specified attribute is taken into account when determining whether the access control rule should apply to an operation. Use the following syntax.
Where:
A bindType value of Any value other than The following example allows a manager to change employee's entries. If
the bind DN is specified in the manager attribute of the targeted entry,
the bind rule is evaluated to
TRUE .
The following example allows any member of a group to change employee's
entries. If the bind DN is a member of the group specified in the
allowEditors attribute of the targeted entry, the
bind rule is evaluated to TRUE .
The following example allows a user's manager to edit that user's entry
and any entries below the user's entry up to two levels deep. You can
specify up to five levels (
The following example allows any member of the engineering department to update any other member of the engineering department at or below the specified ACI.
The following example allows an entry to be updated by any user whose
entry matches the criteria defined in the LDAP URL contained in the
|
userdn |
Indicates that the user’s DN is taken into account when determining whether the access control rule should apply to an operation. Use the following syntax. .
Where value is one of the following representations:
If the value provided is a DN, then that DN can include wildcard characters to define patterns. A single asterisk will match any content within the associated DN component, and two consecutive asterisks can be used to match zero or more DN components. The following example allows users to update their own entries.
|