title: OpenDJ aci targetfilter syntax link: https://onemoretech.wordpress.com/2012/08/08/opendj-aci-targetfilter-syntax/ author: lembobro description: post_id: 3149 created: 2012/08/08 16:41:54 created_gmt: 2012/08/08 20:41:54 comment_status: closed post_name: opendj-aci-targetfilter-syntax status: publish post_type: post

OpenDJ aci targetfilter syntax

The deeper I get into administrating OpenDJ, the more I come to understand just how forgiving Sun Directory was when it came to things like aci syntax. My latest revelation has to do with the aci syntax for targetfilter. The old Sun directories would let you get away with fairly sloppy syntax in schema and aci coding. Not so OpenDJ. In the long run this is generally a good thing because it makes for fewer surprises when migrating configurations between directory platforms. As for the example at hand: targetfilter can be a very useful parameter in a complex access control framework. Basically it lets you narrow the targets of the aci beyond the mere container level. For example:

aci: (targetattr = "objectclass || uid || cn || sn || givenname || mail || title 
  || telephonenumber || facsimiletelephonenumber || street || l || st || postalc
 ode")(target = "ldap:///uid=*, ou=People, dc=example,dc=com")((version 3.0;acl 
 "User Administrators control over People";allow (all,proxy)(groupdn = "ldap:///
 cn=User Administrators, ou=Groups,dc=example,dc=com");)

Will give the members of the User Administrators group all rights over everything in "ou=People,dc=example,dc=com". Now if you wanted to restrict them to only managing particular users, say those in the Sales department, you could add a targetfilter term, like this:

aci: (targetattr = "objectclass || uid || cn || sn || givenname || mail || title
  || telephonenumber || facsimiletelephonenumber || street || l || st || postalc
 ode")(target = "ldap:///uid=*, ou=People, dc=example,dc=com")(targetfilter = "(
 departmentnumber=Sales)")((version 3.0;acl "User Administrators control over Sa
 les";allow (all,proxy)(groupdn = "ldap:///cn=User Administrators, ou=Groups, dc
 =example,dc=com");)

In the above example the OpenDJ-compliant syntax followed is:

(targetfilter = "(attribute=value)")

Note that the quotes around the actual LDAP filter are mandatory (they weren't under previous Sun directories). Clearly there's lots you can do here, depending on the quantity and quality of the information you have about your users on the directory (have I mentioned the importance of developing good relations with the HR department?).

Copyright 2004-2019 Phil Lembo