5.1.3. ACI Subjects

ACI subjects match characteristics of the client connection to the server. Use subjects to restrict whether the ACI applies depending on who connected, and when, where, and how they connected.

authmethod = "none|simple|ssl|sasl mech", authmethod != "none|simple|ssl|sasl mech"

Here you use none to mean do not check, simple for simple authentication, ssl for certificate-based authentication over LDAPS, sasl mech for SASL where mech is DIGEST-MD5, EXTERNAL, or GSSAPI.

dayofweek = "day[, day …]", dayofweek != "day[, day …]"

Replace day with one of sun, mon, tue, wed, thu, fri, sat.

dns = "hostname", dns != "hostname"

You can use asterisks, *, to replace name components, such as dns = "*.myCompany.com".

groupdn = "ldap:///DN[|| ldap:///DN …]", groupdn != "ldap:///DN[|| ldap:///DN …]"

Replace DN with the distinguished name of a group to permit or restrict access for members.

ip = "addresses", ip != "addresses"

Here addresses can be specified for IPv4 or IPv6. IPv6 addresses are specified in brackets as ldap://[address]/subnet-prefix where /subnet-prefix is optional. You can specify individual IPv4 addresses, addresses with asterisks (*) to replace subnets and host numbers, CIDR notation, and forms such as 192.168.0.*+255.255.255.0 to specify subnet masks.

ssf = "strength", ssf != "strength", ssf > "strength", ssf >= "strength", ssf < "strength", ssf <= "strength"

Here the security strength factor pertains to the cipher key strength for connections using DIGEST-MD5, GSSAPI, SSL, or TLS. For example, to require that the connection must have at least 128 bits of encryption, specify ssf >= 128.

timeofday = "hhmm", timeofday != "hhmm", timeofday > "hhmm", timeofday >= "hhmm", timeofday < "hhmm", timeofday <= "hhmm"

Here hhmm is expressed as on a 24-hour clock. For example, 1:15 PM is written 1315.

userattr = "attr#value", userattr != "attr#value", userattr = ldap-url#LDAPURL", userattr != ldap-url#LDAPURL", userattr = "[parent[child-level]. ]attr#GROUPDN|USERDN", userattr != "[parent[child-level]. ]attr#GROUPDN|USERDN"

The userattr subject specifies an attribute that must match on both the bind entry and the target of the ACI.

To match when the attribute on the bind DN entry corresponds directly to the attribute on the target entry, replace attr with the attribute type, and value with the attribute value.

To match when the target entry is identified by an LDAP URL, and the bind DN is in the subtree of the DN of the LDAP URL, use ldap-url#LDAPURL.

To match when the bind DN corresponds to a member of the group identified by the attr value on the target entry, use attr#GROUPDN.

To match when the bind DN corresponds to the attr value on the target entry, use attr#USERDN.

The optional inheritance specification, parent[child-level]., lets you specify how many levels below the target entry inherit the ACI. Here child-level is a number from 0 to 9, with 0 indicating the target entry only. Separate multiple child-level digits with commas (,).

userdn = "ldap-url++[|| ldap-url++ …]", userdn != "ldap-url++[|| ldap-url++ …]"

To match the bind DN, replace ldap-url++ with either a valid LDAP URL such as ldap:///uid=bjensen,ou=People,dc=example,dc=com, ldap:///dc=example,dc=com??sub?(uid=bjensen), or a special LDAP URL-like keyword from the following list.

ldap:///all

Match authenticated users.

ldap:///anyone

Match anonymous and authenticated users.

ldap:///parent

Match when the bind DN is a parent of the ACI target.

ldap:///self

Match when the bind DN entry corresponds to ACI target.