The target
keyword indicates that the ACI should apply to one or more
entries at or below the specified distinguished name (DN).
The target DN must be equal or subordinate to the DN of the entry in which the ACI is placed. For example, if you place the ACI at the root of ou=People,dc=example,dc=com, you can target the DN, uid=user.1,ou=People,dc=example,dc=com, within your ACI rule. The DN must meet the string representation specification of distinguished names, outlined in RFC 4514, and requires that special characters be properly escaped.
The target
clause has the following format, where DN
is the distinguished name of the entry or branch:
(target = ldap:///<DN>)
For example, to target a specific entry, use a clause like the following.
(target = ldap:///uid=john.doe,ou=People,dc=example,dc=com)
In most cases, you should avoid specifying a target DN. Instead, define the ACI in
that entry and omit the target
element altogether.
For example, although you can have
(target="ldap:///uid=john.doe,ou=People,dc=example,dc=com)
in any
of the dc=example,dc=com
or ou=People
entries, you
should define it in the uid=john.doe
entry and not explicitly
include the target
element.
The expression allows for the not equal operator (!=
) to indicate that
all entries within the scope of the given branch that do not match the expression be
targeted for the ACI. The following expression targets all entries within the subtree
that do not match uid=john.doe
.
(target != ldap:///uid=john.doe,ou=People,dc=example,dc=com)
The target
keyword also supports the use of asterisk
(*
) characters as wildcards to match elements within the
distinguished name.
- The following target expression matches all entries that contain and begin with
john.d
.(target = ldap:///uid=john.d*,ou=People,dc=example,dc=com)
Entries such as
john.doe,ou=People,dc=example,dc=com
andjohn.davies,ou=People,dc=example,dc=com
would match the target expression. - The following target expression matches all entries whose DN begins with
john.d
and matches theou
attribute.(target = ldap:///uid=john.d*,ou=*,dc=example,dc=com)
Entries such as
john.doe,ou=People,dc=example,dc=com
andjohn.davies,ou=asia-branch,dc=example,dc=com
would match the target expression.
Another example of a complete ACI targets the entries in the ou=People,dc=example,dc=com branch and the entries below it and grants the users the privilege to modify all of their user attributes within their own entries.
aci:(target="ldap:///ou=People,dc=example,dc=com")
(targetattr="*")
(version 3.0; acl "Allow all the ou=People branch to modify their own entries";
allow (write) userdn="ldap:///self";)