Contents Integration Technologies Administration Previous Next

Specifying Bind Rules

The bind rule lets you specify a bind condition under which the access control information (ACI) rule is applied. For example, you could specify that the ACI rule is applied only when a user binds to the directory using their distinguished name (DN).

Note: ACIs are supported for the Netscape LDAP server only.

Enter the bind rule in the Bind Rule field on the Specify ACI Rule window, using one of the following forms:

keyword = expression
The keyword and expression must match for the statement to be true.
keyword != expression
The keyword and expression must not match for the statement to be true.

The possible keywords and expressions follow. For detailed information on specifying bind rules, see the Netscape Directory Server Administrator's Guide.

Note: Although bind rules are usually specified as ending with a semicolon, do not put a semicolon on the bind rules in this field. The Administrator application adds the semicolon automatically.

userdn

The expressions that you can use with this keyword are as follows:
userdn = "ldap:///dn"
Specify a distinguished name or a distinguished name pattern for dn. You may use an asterisk as a wildcard. The rule is true if the user binds using the specified distinguished name or pattern. For example, if you specified userdn = "ldap:///uid=*, o=Alpine Airways" the expression is true if the user binds using uid=jrush, o=Alpine Airways, but not if the user binds using uid=jrush, ou=sales, o=Alpine Airways.

userdn = "ldap:///self"
The rule is true if the user is accessing the entry for the distinguished name that is used when binding to the directory. For example, a user that binds as uid=jrush, o=Alpine Airways could access the uid=jrush object.

userdn = "ldap:///all"
The rule is true for any valid distinguished name that has successfully bound to the directory.

userdn = "ldap:///anyone"
The rule is true for anyone. This rule permits anonymous access to the directory.

userdn = "ldap:///uid=dn || ldap:///uid=dn2"
The rule is valid if the user binds using either of the specified distinguished names. Wildcards are not allowed.

userdn = "ldap:///o=Alpine Airways???(ou=sales)(ou=accounting)"
The rule is valid if the user's distinguished name is under either ou=sales o=Alpine Airways or ou=accounting o=Alpine Airways.

groupdn

This keyword uses the following expression:

groupdn = "ldap:///dn"
This rule is true if the bind distinguished name is a member of the group that is specified by dn. You can specify more than one group. For example, if the rule is specified as groupdn = "ldap:///cn=managers, o=Alpine Airways", the rule is true if the user's distinguished name is a member of the managers group.

userdnattr

This keyword uses the following expression:

userdnattr = "ldap:///attribute"
The rule is true if the bind distinguished name is the same as the distinguished name that is specified for attribute. As an example, consider a directory object that has uid=nking specified for the "manager" attribute and a bind rule that is specified as userdnattr = "ldap:///manager" User nking could bind to the directory and access the object because the bind distinguished name matches the value of the "manager" attribute.

groupdnattr

This keyword uses the following expressions:

groupdnattr = "ldap:///attribute"
The rule is true if the bind distinguished name is the same as the distinguished name that is specified for attribute. This operates identically to the userdnattr keyword, except that the attribute is specified on a group object.

groupdnattr = "ldap:///dn?attribute"
This rule is true if the bind distinguished name is the same as the distinguished name that is specified for attribute. The group must also be under the distinguished name that is specified by dn.

ip

This keyword uses the following expression:

ip = "ip address"
The rule is true if the user that is accessing the directory uses the specified IP address. You may use asterisks as wildcards. For example, ip = "10.15.67.*"

dns

This keyword uses the following expression:

dns = "dns hostname"
The rule is true if the user that is accessing the directory is located in the specified domain. You may use asterisks as wildcards. For example, dns = "*.alpine.com"

timeofday

This keyword uses the following expression:

timeofday operator "time"
The rule is true if the time that the user accesses the directory matches the time that is specified in the rule. Specify time in 24-hour format (0 to 2359). Use the operator value to specify whether the access time should be before, after, or equal to the time that is specified in time. The possible values for operator are given in the following examples:
  • timeofday = "800" (rule is true if user logs on at 8:00 AM)
  • timeofday != "1030" (rule is true if user logs on at any time other than 10:30 AM
  • timeofday > "1400" (rule is true if user logs on after 2:00 PM)
  • timeofday > = "1400" (rule is true if user logs on or after 2:00 PM)
  • timeofday < "1100" (rule is true if user logs on before 11:00 AM)
  • timeofday < = "1100" (rule is true if user logs on or before 11:00 AM)

dayofweek

This keyword uses the following expression:

dayofweek = "day"
The rule is true if the user accesses the directory on the specified day (the day is determined on the server). The values for day are Sun, Mon, Tue, Wed, Thu, Fri, and Sat.

authmethod

This keyword uses the following expression:

authmethod = "authentication method"
The rule is true if the user accesses the directory using the specified authentication method. Values for authentication method are none, ssl, and sasl sasl_mechanism. For example, the rule authmethod = "simple" is true if the user accesses the directory using a username and password.

Contents Integration Technologies Administration Previous Next