Advanced Access Control: Using Macro ACIsChapter 6 Managing Access Control 257The following ACI is located on the dc=subdomain1,dc=hostedCompany1,dc=example,dc=com node:aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))(version 3.0; acl "Domain access"; allow (read,search)groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1,dc=hostedCompany1,dc=example,dc=com";)The following ACI is located on the dc=hostedCompany2,dc=example,dc=comnode:aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))(version 3.0; acl "Domain access"; allow (read,search)groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2,dc=example,dc=com";)The following ACI is located on the dc=subdomain1,dc=hostedCompany2,dc=example,dc=com node:aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))(version 3.0; acl "Domain access"; allow (read,search)groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,dc=hostedCompany2,dc=example,dc=com";)In the four ACIs shown above, the only differentiator is the DN specified in thegroupdn keyword. By using a macro for the DN, it is possible to replace these ACIsby a single ACI at the root of the tree, on the dc=example,dc=com node. This ACIreads as follows:aci: (target=”ldap:///ou=Groups,($dn),dc=example,dc=com”)(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))(version 3.0; acl "Domain access"; allow (read,search)groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)Note that the target keyword which was not previously used needs to beintroduced.In the example above, the number of ACIs is reduced from four to one. However,the real benefit is a factor of how many repeating patterns you have down andacross your directory tree.Macro ACI SyntaxMacro ACIs include the following types of expressions to replace a DN or part of aDN:• ($dn)