This is especially common in a multi-tenant environment in which users within a tenant might need access to other entries within the same tenant, but not to other entries outside their organization.

For example, consider a server that has a DIT structure like the following:

  • dc=example, dc=com
    • ou=tenants
      • ou=Company A
        • ou=People
        • ou=Groups
          • cn=Administrators
      • ou=Company B
        • ou=People
        • ou=Groups
          • cn=Administrators
      • ou=Company C
        • ou=People
        • ou=Groups
          • cn=Administrators

In each case, members of the cn=Administrators,ou=Groups,ou=<companyName>,ou=tenants,dc=example,dc=com group might need to be able to manage entries after ou=<companyName>,ou=tenants,dc=example,dc=com. While it might be possible to accomplish this by creating similar ACIs throughout the DIT (one for each tenant), this can also be accomplished by creating one parameterized ACI like the following example.

(target="ldap:///ou=($1),ou=tenants,dc=example,dc=com")(version 3.0; acl "Allow organization administrators to manage entries in their organization"; allow (all) groupdn="ldap:///cn=Administrators,ou=Groups,ou=($1),ou=tenants,dc=example,dc=com";)

In this case, the “($1)” is a placeholder that matches between the target and groupdn elements of the access control rule. If the client is authenticated as a user who is a member of any group that matches that pattern in the target bind rule, then the value that matches the placeholder within that pattern is also substituted in place of the same pattern within the target element.

Parameterized ACIs can also be used in conjunction with the userdn bind rule. For example, the following ACI grants any user within the organization permission to access a select set of attributes from any user within the same organization.

(target="ldap:///ou=($1),ou=tenants,dc=example,dc=com")(targetattr="uid||cn||givenName||sn||mail")(version 3.0; acl "Allow users within an organization to access select attributes from other entries in the same organization"; allow (read,search,compare) userdn="ldap:///uid=($2),ou=People,ou=($1),ou=tenants,dc=example,dc=com";)

Parameterized DNs used in the userdn or groupdn bind rules can have multiple placeholders. Not all of those placeholders need to be used in the target.