18.5. Limitations of ACIs

When you set ACIs, the following restrictions apply:
  • If your directory database is distributed over multiple servers, the following restrictions apply to the keywords you can use in ACIs:
    • ACIs depending on group entries using the groupdn keyword must be located on the same server as the group entry.
      If the group is dynamic, all members of the group must have an entry on the server. Member entries of static groups can be located on the remote server.
    • ACIs depending on role definitions using the roledn keyword, must be located on the same server as the role definition entry. Every entry that is intended to have the role must also be located on the same server.
    However, you can match values stored in the target entry with values stored in the entry of the bind user by, for example, using the userattr keyword. In this case, access is evaluated normally even if the bind user does not have an entry on the server that stores the ACI.
  • You cannot use virtual attributes, such as Class of Service (CoS) attributes, in the following ACI keywords:
    • targetfilter
    • targattrfilters
    • userattr
  • Access control rules are evaluated only on the local server. For example, if you specify the host name of a server in LDAP URLs in ACI keywords, the URL will be ignored.