ACIs use a subtree scope by default, meaning they are applied to the target entry and all entries below it, either as defined by the target clause of the ACI or the entry in which the ACI is defined if it does not include a target. However, you can add the targetscope element into an ACR to restrict the set of entries to which it applies.

The following targetscope keyword values are allowed:

base
Indicates that the ACR applies only to the target entry and not to any of its subordinates.
onelevel
Indicates that the ACR applies only to entries that are immediate children of the target entry and not to the target entry itself nor to any subordinates of the immediate children of the target entry.
subtree
Indicates that the ACR applies to the target entry and all of its subordinates. This is the default behavior if no targetscope is specified.
subordinate
Indicates that the ACR applies to all entries below the target entry but not the target entry itself.

The following ACI targets all users to view the operational attributes present in the root DSA-specific entry (DSE):

  • supportedControl
  • supportedExtension
  • supportedFeatures
  • supportedSASLMechanisms
  • vendorName
  • vendorVersion

In the following example, targetscope is set to base to limit users to view only those attributes in the root DSE.

aci: (target="ldap:///")(targetscope="base")
    (targetattr="supportedControl||supportedExtension||
     supportedFeatures||supportedSASLMechanisms||vendorName||vendorVersion")
    (version 3.0; acl "Allow users to view Root DSE Operational Attributes";
     allow (read,search,compare) userdn="ldap:///anyone")