18.9. Defining Targets
Target rules in an ACI define to which entries Directory Server applies the ACI. If you do not set a target, the ACI applies to the entry containing the
aci
attribute and to entries below.
In an ACI, the following highlighted part is the target rule:
(target_rule)(version 3.0; acl "ACL_name"; permission_rule bind_rules;)
For complex ACIs, Directory Server supports multiple target rules with different keywords in an ACI:
(target_rule_1)(target_rule_2)(...)(version 3.0; acl "ACL_name"; permission_rule bind_rules;)
If you specify multiple target rules, the order is not relevant. Note that you can use each of the following keywords only once in an ACI:
target
targetattr
targetattrfilters
targetfilter
target_from
target_to
Syntax
The general syntax of a target rule is:
(keyword comparison_operator "expression")
keyword
: Sets the type of the target. See Section 18.9.1, “Frequently Used Target Keywords”.comparison_operator
: Valid values are=
and!=
and indicate whether or not the target is the object specified in the expression.Warning
For security reasons, Red Hat recommends not using the!=
operator, because it allows the specified operation on all other entries or attributes. For example:(targetattr != "userPassword");(version 3.0; acl "example"); allow (write) ... );
The previous example allows users to set, update, or delete any attribute except theuserPassword
attribute under the Distinguished Name (DN) you set the ACI. However, this also enables users, for example, to add an additionalaci
attribute that allows write access to this attribute as well.expression
: Sets the target and must be surrounded by quotation marks. The expression itself depends on the keyword you use.
18.9.1. Frequently Used Target Keywords
Administrators frequently use the following target keywords:
target
: See Section 18.9.1.1, “Targeting a Directory Entry”.targetattr
: See Section 18.9.1.2, “Targeting Attributes”.targetfilter
: See Section 18.9.1.3, “Targeting Entries and Attributes Using LDAP Filters”.targattrfilters
: See Section 18.9.1.4, “Targeting Attribute Values Using LDAP Filters”.
18.9.1.1. Targeting a Directory Entry
To control access based on a DN and the entries below it, use the
target
keyword in the ACI. A target rule which uses the target
keyword takes a DN as expression:
(target comparison_operator "ldap:///distinguished_name")
Note
You must set the ACI with the
target
keyword on the DN you are targeting or a higher-level DN of it. For example, if you target ou=People,dc=example,dc=com
, you must either set the ACI on ou=People,dc=example,dc=com
or dc=example,dc=com
.
Example 18.1. Using the target
Keyword
To enable users that are stored in the
ou=People,dc=example,dc=com
entry to search and display all attributes in their own entry:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (target = "ldap:///ou=People,dc=example,dc=com") (version 3.0; acl "Allow users to read and search attributes of own entry"; allow (search, read) (userdn = "ldap:///self");)
Using Wildcards with the target
Keyword
You can use the
*
wildcard character target multiple entries.
The following target rule example matches all entries in
ou=People,dc=example,dc=com
whose uid
attribute is set to a value that starts with the letter a
:
(target = "ldap:///uid=a*,ou=People,dc=example,dc=com")
Depending on the position of the wildcard, the rule not only applies to attribute values, but also to the full DN. Therefore, you can use the wildcard as a substitute for portions of the DN.
Example 18.2. Targeting a Directory Entries Using Wildcards
The following rule targets all entries in the
dc=example,dc=com
tree with a matching uid
attribute and not only entries which are stored in the dc=example,dc=com
entry itself:
(target = "ldap:///uid=user_name*,dc=example,dc=com")
The previous target rule matches multiple entries, such as:
uid=user_name,dc=example,dc=com
uid=user_name,ou=People,dc=example,dc=com
uid=user_name2,dc=example,dc=com
Important
Directory Server does not support wildcards in the suffix part of a DN. For example, if your directory's suffix is
dc=example,dc=com
, you cannot use a target with a wildcard in this suffix, such as (target = "ldap:///dc=*.com")
.
18.9.1.2. Targeting Attributes
To limit access in an ACI to certain attributes, use the
targetattr
keyword. For example, this keyword defines:
- In a read operation, what attributes will be returned to a client
- In a search operation, what attributes will be searched
- In a write operation, what attributes can be written to an object
- In an add operation, what attributes can be added when creating a new object
Note
In certain situations, you can use the
targetattr
keyword to secure ACIs by combining other target keywords with targetattr
. See Section 18.9.3, “Advanced Usage of Target Rules” for examples.
Important
In
read
and search
operations, the default targets no attribute. An ACI without a targetattr
keyword is only useful for ACIs with rights affecting a complete entry, such as add
or delete
.
To separate multiple attributes in a target rule that uses the
targetattr
keyword, use ||
:
(targetattr comparison_operator "attribute_1 || attribute_2 || ...")
The attributes set in the expression must be defined in the schema.
Note
The attributes specified in the expression apply to the entry on which you create the ACI and to all entries below it if not restricted by further target rules.
Example 18.3. Using the targetattr
Keyword
To enable users stored in
dc=example,dc=com
and all subentries to update the userPassword
attribute in their own entry:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr = "userPassword") (version 3.0; acl "Allow users updating own userPassword"; allow (write) (userdn = "ldap:///self");)
Using Wildcards with the targetattr
Keyword
Using the
*
wildcard character, you can, for example, target all attributes:
(targetattr = "*")
Warning
For security reasons, do not use wildcards with the
targetattr
, because it allows access to all attributes, including operational attributes. For example, if users can add or modify all attributes, users might create additional ACI and increase their own permissions.
18.9.1.3. Targeting Entries and Attributes Using LDAP Filters
To target a group of entries that match a certain criteria, use the
targetfilter
keyword with an LDAP filter:
(targetfilter comparison_operator "LDAP_filter")
The filter expression is a standard LDAP search filter, as described in Chapter 14, Finding Directory Entries.
Example 18.4. Using the targetfilter
Keyword
To grant permissions to members of the
cn=Human Resources,dc=example,dc.com
group to modify all entries having the department
attribute set to Engineering
or Sales
:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: dc=example,dc=com changetype: modify add: aci aci: (targetfilter = "(|(department=Engineering)(department=Sales)") (version 3.0; acl "Allow HR updating engineering and sales entries"; allow (write) (groupdn = "ldap:///cn=Human Resources,dc=example,dc.com");)
The
targetfilter
keyword targets whole entries. If you combine it with the targetattr
keyword, the ACI applies only to a subset of attributes of the targeted entries. See Section 18.9.3.3, “Targeting Certain Attributes of Entries Matching a Filter”.
Note
Using LDAP filters is useful when targeting entries and attributes that are spread across the directory. However, the results are sometimes unpredictable because filters do not directly name the object for which you are managing access. The set of entries targeted by a filtered ACI is likely to change as attributes are added or deleted. Therefore, if you use LDAP filters in ACIs, verify that they target the correct entries and attributes by using the same filter, for example, in an
ldapsearch
operation.
Using Wildcards with the targetfilter
Keyword
The
targetfilter
keyword supports wildcards similarly to standard LDAP filters. For example, to target all uid
attributes whose value starts with adm
:
(targetfilter = "(uid=adm*) ...)
18.9.1.4. Targeting Attribute Values Using LDAP Filters
You can use access control to target specific values of attributes. This means that you can grant or deny permissions on an attribute if that attribute's value meets the criteria that is defined in the ACI. An ACI that grants or denies access based on an attribute's value is called a value-based ACI.
Note
This applies only to
ADD
and DEL
operations. You cannot limit search rights by specific values.
To create a value-based ACI, use the
targattrfilters
keyword with the following syntax:
- For one operation with one attribute and filter combination:
(targattrfilters="operation=attribute:filter")
- For one operation with multiple attribute and filter combinations:
(targattrfilters="operation=attribute_1:filter_1 && attribute_2:filter_2 ... && attribute_m:filter_m")
- For two operations, each with multiple attribute and filter combinations:
(targattrfilters="operation_1=attribute_1_1:filter_1_1 && attribute_1_2:filter_1_2 ... && attribute_1_m:filter_1_m , operation_2=attribute_2_1:filter_2_1 && attribute_2_2:filter_2_2 ... & attribute_2_n:filter_2_n ")
In the previous syntax examples, you can set the operations either to
add
or del
. The attribute:filter
combination sets the filter and the attribute the filter is applied to.
The following describes how filter must match:
- When creating an entry and a filter applies to an attribute in the new entry, then each instance of that attribute must match the filter.
- When deleting an entry and a filter applies to an attribute in the entry, then each instance of that attribute must also match the filter.
- When modifying an entry and the operation adds an attribute, then the
add
filter that applies to that attribute must match. - If the operation deletes an attribute, then the
del
filter that applies to that attribute must match. If the individual values of an attribute already present in the entry are replaced, then both theadd
anddel
filters must match.
Example 18.5. Using the targattrfilters
Keyword
To create an ACI that enables users to add any role to their own entry, except the
Admin
role, and to add the telephone
attribute, as long as the value begins with the 123
prefix:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: dc=example,dc=com changetype: modify add: aci aci: (targattrfilters="add=nsroledn:(!(nsroledn=cn=Admin)) && telephoneNumber:(telephoneNumber=123*)") (version 3.0; acl "Allow adding roles and telephone"; allow (add) (userdn = "ldap:///self");)
18.9.2. Further Target Keywords
This section describes target keywords that are less-frequently used.
18.9.2.1. Targeting Source and Destination DNs
In certain situations, administrators want to allow users to move directory entries. Using the
target_from
and target_to
keywords in an ACI, you can specify the source and destination of the operation, however, without enabling the user:
- To move entries from a different source as set in the ACI.
- To move entries to a different destination as set in the ACI.
- To delete existing entries from the source DN.
- To add new entries to the destination DN.
Example 18.6. Using the target_from
and target_to
Keywords
For example, to enable the
uid=user,dc=example,dc=com
account to move user accounts from the cn=staging,dc=example,dc=com
entry to cn=people,dc=example,dc=com
:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: dc=example,dc=com changetype: modify add: aci aci: (target_from="ldap:///uid=*,cn=staging,dc=example,dc=com") (target_to="ldap:///cn=People,dc=example,dc=com") (version 3.0; acl "MODDN from"; allow (moddn)) userdn="ldap:///uid=user,dc=example,dc=com";)
Note
ACIs apply only to the subtree where they are defined. In the previous example, the ACI is applied only to the
dc=example,dc=com
subtree.
If the
target_from
or target_to
keyword is not set, the ACI matches any source or destination.
18.9.3. Advanced Usage of Target Rules
By combining multiple keywords, you can create complex target rules. This section provides examples of the advanced usage of target rules.
18.9.3.1. Delegating Permissions to Create and Maintain Groups
In certain situations, administrators want to delegate permissions to other accounts or groups. By combining target keywords, you can create secure ACIs that solve this request.
Example 18.7. Delegating Permissions to Create and Maintain Groups
To enable the
uid=user,ou=People,dc=example,dc=com"
account to create and update groups in the ou=groups,dc=example,dc=com
entry:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: dc=example,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=*,ou=Groups,dc=example,dc=com") (targattrfilters="add=objectclass:(|(objectclas=top)(objectclass=groupOfUniqueNames))) (targetattr="cn || uniqueMember || objectClass") (version 3.0; acl "example"; allow (read, search, write, add) (userdn = "ldap:///uid=test,ou=People,dc=example,dc=com");)
For security reasons, the previous example adds certain limitations. The
uid=test,ou=People,dc=example,dc=com
user:
- Can create objects that must contain the
top
andgroupOfUniqueNames
object classes. - Cannot add additional object classes, such as
account
. For example, this prevents if you use Directory Server accounts for local authentication, to create new users with an invalid user ID, such as0
for theroot
user.
The
targetfilter
rule ensures that the ACI entry applies only to entries with the groupofuniquenames
object class and the targetattrfilter
rule ensures that no other object class can be added.
18.9.3.2. Targeting Both an Entry and Attributes
The
target
controls access based on a DN. However, if you use it in combination with a wildcard and the targetattr
keyword, you can target both entries and attributes.
Example 18.8. Targeting Both an Entry and Attributes
To enable the
uid=user,ou=People,dc=example,dc.com
user to read and search members of groups in all organizational units in the dc=example,dc=com
subtree:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///cn=*,dc=example,dc=com")(targetattr="member" || "cn") (version 3.0; acl "Allow uid=user to search and read members of groups"; allow (read, search) (userdn = "ldap:///uid=user,ou=People,dc=example,dc.com");)
18.9.3.3. Targeting Certain Attributes of Entries Matching a Filter
If you combine the
targetattr
and targetfilter
keywords in two target rules, you can target certain attributes in entries that match a filter.
Example 18.9. Targeting Certain Attributes of Entries Matching a Filter
To allow members of the
cn=Engineering Admins,dc=example,dc=com
group to modify the jpegPhoto
and manager
attributes of all entries having the department
attribute set to Engineering
:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr = "jpegPhoto || manager") (targetfilter = "(department=Engineering)") (version 3.0; acl "Allow engineering admins updating jpegPhoto and manager of department members"; allow (write) (groupdn = "ldap:///cn=Engineering Admins,dc=example,dc.com");)
18.9.3.4. Targeting a Single Directory Entry
To target a single directory entry, combine the
targetattr
and targetfilter
keywords.
Example 18.10. Targeting a Single Directory Entry
To enable the
uid=user,ou=People,dc=example,dc=com
user to read and search the ou
and cn
attributes in the ou=Engineering,dc=example,dc=com
entry:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: ou=Engineering,dc=example,dc=com changetype: modify add: aci aci: (targetattr = "ou || cn") (targetfilter = "(ou=Engineering)") (version 3.0; acl "Allow uid=user to search and read engineering attributes"; allow (read, search) (userdn = "ldap:///uid=user,ou=People,dc=example,dc.com");)
To enable the previous example to target only the
ou=Engineering,dc=example,dc=com
entry, sub-entries in ou=Engineering,dc=example,dc=com
must not have the ou
attribute set to Engineering
.
Important
These kinds of ACIs can fail if the structure of your directory changes.
Alternatively, you can create a bind rule that matches the user input in the bind request with an attribute value that is stored in the targeted entry. See Section 18.11.2.1, “Defining Access Based on Value Matching”.