Creating ACIs Manually212 Red Hat Directory Server Administrator’s Guide • May 2005The attributes specified in the targetattr keyword apply to the entry that theACI is targeting and to all the entries below it. If you target the password attributeon the entry uid=bjensen,ou=Marketing,dc=example,dc=com, only thepassword attribute on the bjensen entry is affected by the ACI because it is a leafentry.If, however, you target the tree’s branch pointou=Marketing,dc=example,dc=com, then all the entries beneath the branch pointthat can contain a password attribute are affected by the ACI.Targeting Both an Entry and AttributesBy default, the entry targeted by an ACI containing a targetattr keyword is theentry on which the ACI is placed. That is, if you put the ACIaci: (targetattr = "uid")(access_control_rules;)on the ou=Marketing, dc=example,dc=com entry, then the ACI applies to theentire Marketing subtree. However, you can also explicitly specify a target usingthe target keyword as follows:aci: (target="ldap:///ou=Marketing,dc=example,dc=com")(targetattr="uid") (access_control_rules;)The order in which you specify the target and the targetattr keywords is notimportant.Targeting Entries or Attributes Using LDAP FiltersYou can use LDAP filters to target a group of entries that match certain criteria. Todo this, you must use the targetfilter keyword with an LDAP filter.The syntax of the targetfilter keyword is:(targetfilter = "LDAP_filter")where LDAP_filter is a standard LDAP search filter. For more information on thesyntax of LDAP search filters, see Appendix B, “Finding Directory Entries.”For example, suppose that all entries in the accounting department include theattribute-value pair ou=accounting, and all entries in the engineering departmentinclude the attribute-value pair ou=engineering subtree. To target all the entriesin the accounting and engineering branches of the directory tree, you could usethe following filter:(targetfilter = "(|(ou=accounting)(ou=engineering))")
