18.9. Defining Targets

Target rules in an ACI define to which entries Directory Server applies the ACI. If you do not set a target, the ACI applies to the entry containing the aci attribute and to entries below.
In an ACI, the following highlighted part is the target rule:
(target_rule)(version 3.0; acl "ACL_name"; permission_rule bind_rules;)
For complex ACIs, Directory Server supports multiple target rules with different keywords in an ACI:
(target_rule_1)(target_rule_2)(...)(version 3.0; acl "ACL_name"; permission_rule bind_rules;)
If you specify multiple target rules, the order is not relevant. Note that you can use each of the following keywords only once in an ACI:
  • target
  • targetattr
  • targetattrfilters
  • targetfilter
  • target_from
  • target_to

Syntax

The general syntax of a target rule is:
(keyword comparison_operator "expression")
  • keyword: Sets the type of the target. See Section 18.9.1, “Frequently Used Target Keywords”.
  • comparison_operator: Valid values are = and != and indicate whether or not the target is the object specified in the expression.

    Warning

    For security reasons, Red Hat recommends not using the != operator, because it allows the specified operation on all other entries or attributes. For example:
    (targetattr != "userPassword");(version 3.0; acl "example"); allow (write) ... );
    The previous example allows users to set, update, or delete any attribute except the userPassword attribute under the Distinguished Name (DN) you set the ACI. However, this also enables users, for example, to add an additional aci attribute that allows write access to this attribute as well.
  • expression: Sets the target and must be surrounded by quotation marks. The expression itself depends on the keyword you use.

18.9.1. Frequently Used Target Keywords

Administrators frequently use the following target keywords:

18.9.1.1. Targeting a Directory Entry

To control access based on a DN and the entries below it, use the target keyword in the ACI. A target rule which uses the target keyword takes a DN as expression:
(target comparison_operator "ldap:///distinguished_name")

Note

You must set the ACI with the target keyword on the DN you are targeting or a higher-level DN of it. For example, if you target ou=People,dc=example,dc=com, you must either set the ACI on ou=People,dc=example,dc=com or dc=example,dc=com.

Example 18.1. Using the target Keyword

To enable users that are stored in the ou=People,dc=example,dc=com entry to search and display all attributes in their own entry:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///ou=People,dc=example,dc=com") (version 3.0;
 acl "Allow users to read and search attributes of own entry"; allow (search, read)
 (userdn = "ldap:///self");)

Using Wildcards with the target Keyword

You can use the * wildcard character target multiple entries.
The following target rule example matches all entries in ou=People,dc=example,dc=com whose uid attribute is set to a value that starts with the letter a:
(target = "ldap:///uid=a*,ou=People,dc=example,dc=com")
Depending on the position of the wildcard, the rule not only applies to attribute values, but also to the full DN. Therefore, you can use the wildcard as a substitute for portions of the DN.

Example 18.2. Targeting a Directory Entries Using Wildcards

The following rule targets all entries in the dc=example,dc=com tree with a matching uid attribute and not only entries which are stored in the dc=example,dc=com entry itself:
(target = "ldap:///uid=user_name*,dc=example,dc=com")
The previous target rule matches multiple entries, such as:
  • uid=user_name,dc=example,dc=com
  • uid=user_name,ou=People,dc=example,dc=com
  • uid=user_name2,dc=example,dc=com

Important

Directory Server does not support wildcards in the suffix part of a DN. For example, if your directory's suffix is dc=example,dc=com, you cannot use a target with a wildcard in this suffix, such as (target = "ldap:///dc=*.com").

18.9.1.2. Targeting Attributes

To limit access in an ACI to certain attributes, use the targetattr keyword. For example, this keyword defines:
  • In a read operation, what attributes will be returned to a client
  • In a search operation, what attributes will be searched
  • In a write operation, what attributes can be written to an object
  • In an add operation, what attributes can be added when creating a new object

Note

In certain situations, you can use the targetattr keyword to secure ACIs by combining other target keywords with targetattr. See Section 18.9.3, “Advanced Usage of Target Rules” for examples.

Important

In read and search operations, the default targets no attribute. An ACI without a targetattr keyword is only useful for ACIs with rights affecting a complete entry, such as add or delete.
To separate multiple attributes in a target rule that uses the targetattr keyword, use ||:
(targetattr comparison_operator "attribute_1 || attribute_2 || ...")
The attributes set in the expression must be defined in the schema.

Note

The attributes specified in the expression apply to the entry on which you create the ACI and to all entries below it if not restricted by further target rules.

Example 18.3. Using the targetattr Keyword

To enable users stored in dc=example,dc=com and all subentries to update the userPassword attribute in their own entry:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "userPassword") (version 3.0;
 acl "Allow users updating own userPassword";
 allow (write) (userdn = "ldap:///self");)

Using Wildcards with the targetattr Keyword

Using the * wildcard character, you can, for example, target all attributes:
(targetattr = "*")

Warning

For security reasons, do not use wildcards with the targetattr, because it allows access to all attributes, including operational attributes. For example, if users can add or modify all attributes, users might create additional ACI and increase their own permissions.

18.9.1.3. Targeting Entries and Attributes Using LDAP Filters

To target a group of entries that match a certain criteria, use the targetfilter keyword with an LDAP filter:
(targetfilter comparison_operator "LDAP_filter")
The filter expression is a standard LDAP search filter, as described in Chapter 14, Finding Directory Entries.

Example 18.4. Using the targetfilter Keyword

To grant permissions to members of the cn=Human Resources,dc=example,dc.com group to modify all entries having the department attribute set to Engineering or Sales:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetfilter = "(|(department=Engineering)(department=Sales)")
 (version 3.0; acl "Allow HR updating engineering and sales entries";
 allow (write) (groupdn = "ldap:///cn=Human Resources,dc=example,dc.com");)
The targetfilter keyword targets whole entries. If you combine it with the targetattr keyword, the ACI applies only to a subset of attributes of the targeted entries. See Section 18.9.3.3, “Targeting Certain Attributes of Entries Matching a Filter”.

Note

Using LDAP filters is useful when targeting entries and attributes that are spread across the directory. However, the results are sometimes unpredictable because filters do not directly name the object for which you are managing access. The set of entries targeted by a filtered ACI is likely to change as attributes are added or deleted. Therefore, if you use LDAP filters in ACIs, verify that they target the correct entries and attributes by using the same filter, for example, in an ldapsearch operation.

Using Wildcards with the targetfilter Keyword

The targetfilter keyword supports wildcards similarly to standard LDAP filters. For example, to target all uid attributes whose value starts with adm:
(targetfilter = "(uid=adm*) ...)

18.9.1.4. Targeting Attribute Values Using LDAP Filters

You can use access control to target specific values of attributes. This means that you can grant or deny permissions on an attribute if that attribute's value meets the criteria that is defined in the ACI. An ACI that grants or denies access based on an attribute's value is called a value-based ACI.

Note

This applies only to ADD and DEL operations. You cannot limit search rights by specific values.
To create a value-based ACI, use the targattrfilters keyword with the following syntax:
  • For one operation with one attribute and filter combination:
    (targattrfilters="operation=attribute:filter")
  • For one operation with multiple attribute and filter combinations:
    (targattrfilters="operation=attribute_1:filter_1 && attribute_2:filter_2 ... && attribute_m:filter_m")
  • For two operations, each with multiple attribute and filter combinations:
    (targattrfilters="operation_1=attribute_1_1:filter_1_1 && attribute_1_2:filter_1_2 ... && attribute_1_m:filter_1_m , operation_2=attribute_2_1:filter_2_1 && attribute_2_2:filter_2_2 ... & attribute_2_n:filter_2_n ")
In the previous syntax examples, you can set the operations either to add or del. The attribute:filter combination sets the filter and the attribute the filter is applied to.
The following describes how filter must match:
  • When creating an entry and a filter applies to an attribute in the new entry, then each instance of that attribute must match the filter.
  • When deleting an entry and a filter applies to an attribute in the entry, then each instance of that attribute must also match the filter.
  • When modifying an entry and the operation adds an attribute, then the add filter that applies to that attribute must match.
  • If the operation deletes an attribute, then the del filter that applies to that attribute must match. If the individual values of an attribute already present in the entry are replaced, then both the add and del filters must match.

Example 18.5. Using the targattrfilters Keyword

To create an ACI that enables users to add any role to their own entry, except the Admin role, and to add the telephone attribute, as long as the value begins with the 123 prefix:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targattrfilters="add=nsroledn:(!(nsroledn=cn=Admin)) &&
 telephoneNumber:(telephoneNumber=123*)") (version 3.0;
 acl "Allow adding roles and telephone";
 allow (add) (userdn = "ldap:///self");)

18.9.2. Further Target Keywords

This section describes target keywords that are less-frequently used.

18.9.2.1. Targeting Source and Destination DNs

In certain situations, administrators want to allow users to move directory entries. Using the target_from and target_to keywords in an ACI, you can specify the source and destination of the operation, however, without enabling the user:
  • To move entries from a different source as set in the ACI.
  • To move entries to a different destination as set in the ACI.
  • To delete existing entries from the source DN.
  • To add new entries to the destination DN.

Example 18.6. Using the target_from and target_to Keywords

For example, to enable the uid=user,dc=example,dc=com account to move user accounts from the cn=staging,dc=example,dc=com entry to cn=people,dc=example,dc=com:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target_from="ldap:///uid=*,cn=staging,dc=example,dc=com")
 (target_to="ldap:///cn=People,dc=example,dc=com")
 (version 3.0; acl "MODDN from"; allow (moddn))
 userdn="ldap:///uid=user,dc=example,dc=com";)

Note

ACIs apply only to the subtree where they are defined. In the previous example, the ACI is applied only to the dc=example,dc=com subtree.
If the target_from or target_to keyword is not set, the ACI matches any source or destination.

18.9.3. Advanced Usage of Target Rules

By combining multiple keywords, you can create complex target rules. This section provides examples of the advanced usage of target rules.

18.9.3.1. Delegating Permissions to Create and Maintain Groups

In certain situations, administrators want to delegate permissions to other accounts or groups. By combining target keywords, you can create secure ACIs that solve this request.

Example 18.7. Delegating Permissions to Create and Maintain Groups

To enable the uid=user,ou=People,dc=example,dc=com" account to create and update groups in the ou=groups,dc=example,dc=com entry:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///cn=*,ou=Groups,dc=example,dc=com")
 (targattrfilters="add=objectclass:(|(objectclas=top)(objectclass=groupOfUniqueNames)))
 (targetattr="cn || uniqueMember || objectClass")
 (version 3.0; acl "example"; allow (read, search, write, add)
 (userdn = "ldap:///uid=test,ou=People,dc=example,dc=com");)
For security reasons, the previous example adds certain limitations. The uid=test,ou=People,dc=example,dc=com user:
  • Can create objects that must contain the top and groupOfUniqueNames object classes.
  • Cannot add additional object classes, such as account. For example, this prevents if you use Directory Server accounts for local authentication, to create new users with an invalid user ID, such as 0 for the root user.
The targetfilter rule ensures that the ACI entry applies only to entries with the groupofuniquenames object class and the targetattrfilter rule ensures that no other object class can be added.

18.9.3.2. Targeting Both an Entry and Attributes

The target controls access based on a DN. However, if you use it in combination with a wildcard and the targetattr keyword, you can target both entries and attributes.

Example 18.8. Targeting Both an Entry and Attributes

To enable the uid=user,ou=People,dc=example,dc.com user to read and search members of groups in all organizational units in the dc=example,dc=com subtree:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///cn=*,dc=example,dc=com")(targetattr="member" || "cn") (version 3.0;
 acl "Allow uid=user to search and read members of groups";
 allow (read, search) (userdn = "ldap:///uid=user,ou=People,dc=example,dc.com");)

18.9.3.3. Targeting Certain Attributes of Entries Matching a Filter

If you combine the targetattr and targetfilter keywords in two target rules, you can target certain attributes in entries that match a filter.

Example 18.9. Targeting Certain Attributes of Entries Matching a Filter

To allow members of the cn=Engineering Admins,dc=example,dc=com group to modify the jpegPhoto and manager attributes of all entries having the department attribute set to Engineering:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "jpegPhoto || manager")
 (targetfilter = "(department=Engineering)") (version 3.0;
 acl "Allow engineering admins updating jpegPhoto and manager of department members";
 allow (write) (groupdn = "ldap:///cn=Engineering Admins,dc=example,dc.com");)

18.9.3.4. Targeting a Single Directory Entry

To target a single directory entry, combine the targetattr and targetfilter keywords.

Example 18.10. Targeting a Single Directory Entry

To enable the uid=user,ou=People,dc=example,dc=com user to read and search the ou and cn attributes in the ou=Engineering,dc=example,dc=com entry:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=Engineering,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "ou || cn")
 (targetfilter = "(ou=Engineering)") (version 3.0;
 acl "Allow uid=user to search and read engineering attributes";
 allow (read, search) (userdn = "ldap:///uid=user,ou=People,dc=example,dc.com");)
To enable the previous example to target only the ou=Engineering,dc=example,dc=com entry, sub-entries in ou=Engineering,dc=example,dc=com must not have the ou attribute set to Engineering.

Important

These kinds of ACIs can fail if the structure of your directory changes.
Alternatively, you can create a bind rule that matches the user input in the bind request with an attribute value that is stored in the targeted entry. See Section 18.11.2.1, “Defining Access Based on Value Matching”.