Bind RulesChapter 6 Managing Access Control 233The bind rule is evaluated to be true if the client accessing the directory is located atthe named IP address. This can be useful for allowing certain kinds of directoryaccess only from a specific subnet or machine.For example, you could use a wildcard IP address such as 12.3.45.* to specify aspecific subnetwork or 123.45.6.*+255.255.255.115 to specify a subnetworkmask.From the Server Console, you can define specific machines to which the ACIapplies through the Access Control Editor. For more information, see “CreatingACIs from the Console,” on page 237.Defining Access from a Specific DomainA bind rule can specify that the bind operation must originate from a particulardomain or host machine. This is often used to force all directory updates to occurfrom a given machine or network domain.The LDIF syntax for setting a bind rule based on the DNS hostname is dns ="DNS_Hostname" or dns != "DNS_Hostname".The dns keyword requires a fully qualified DNS domain name. Granting access toa host without specifying the domain creates a potential security threat. Forexample, the following expression is allowed but not recommended:dns = "legend.eng";You should use a fully qualified name such as:dns = "legend.eng.example.com";The dns keyword allows wildcards. For example:dns = "*.example.com";The bind rule is evaluated to be true if the client accessing the directory is located inthe named domain. This can be useful for allowing access only from a specificdomain. Wildcards will not work if your system uses a naming service other thanDNS. In such a case, if you want to restrict access to a particular domain, use the ipkeyword, as described in “Defining Access from a Specific IP Address,” onpage 232.CAUTION The dns keyword requires that the naming service used on yourmachine is DNS. If the name service is not DNS, you should use theip keyword instead.
