5.1.1. ACI Targets

The seven types of ACI targets identify the objects to which the ACI applies.

(target = "ldap:///DN"), (target != "ldap:///DN")

Sets the scope to the entry with distinguished name DN, and to child entries.

You can use asterisks, *, to replace attribute types, attribute values, and entire DN components. In other words, the following specification targets both uid=bjensen,ou=People,dc=example,dc=com and also cn=Frank Zappa,ou=Musicians,dc=example,dc=com. 

(target = "ldap:///*=*,*,dc=example,dc=com")

The DN must be in the subtree of the entry on which the ACI is defined.

If you do not specify target, then the entry holding this ACI will be affected. If targetscope is also omitted, then this entry and all subordinates will be affected.

(targetattr = "attr-list"), (targetattr != "attr-list")

Replace attr-list with a list of attribute type names, such as userPassword, separating multiple attribute type names with ||.

This specification affects the entry where the ACI is located, or the entries specified by other targets in the ACI.

You can use an asterisk, *, to specify all non-operational attributes, although you will see better performance when explicitly including or excluding attribute types needed. You can use a plus, +, to specify all operational attributes.

If you do not include this target specification, then by default no attributes are affected by the ACI.

(targetfilter = "ldap-filter"), (targetfilter != "ldap-filter")

Sets the scope to match the ldap-filter dynamically, as in an LDAP search. The ldap-filter can be any valid LDAP filter.

(targattrfilters = "expression"), (targattrfilters != "expression")

Use this target specification when managing changes made to particular attributes.

Here expression takes one of the following forms. Separate expressions with semicolons, ;. 

op=attr1:filter1[&& attr2:filter2 …][;op=attr3:filter3[&& attr4:filter4 …] …]

Here op can be either add for operations creating attributes, or delete for operations removing them. Replace attr with an attribute type. Replace filter with an LDAP filter that corresponds to the attr attribute type.

(targetscope = "base|onelevel|subtree|subordinate")

Here base refers to the entry where the ACI is defined, onelevel to immediate children, subtree to the base entry and all children, and subordinate to all children only.

If you do not specify targetscope, then the default is subtree.

(targetcontrol = "OID"), (targetcontrol != "OID")

Replace OID with the object identifier for the LDAP control to target. Separate multiple OIDs with ||.

This target cannot be restricted to a specific subtree by combining it with another target.

(extop = "OID"), (extop != "OID")

Replace OID with the object identifier for the extended operation to target. Separate multiple OIDs with ||.

This target cannot be restricted to a specific subtree by combining it with another target.

[Note] Note

Different LDAP server implementations that support Netscape's ACI syntax may support different multi-valued quotation styles or policies. Specifically, this can relate to attr-list and OID values.

OpenDJ ONLY offers support for the so-called "All-Encompassing" quotation style, as is demonstrated throughout this guide. For instance:

(targetattr = "attr1 || attr2 || attr3")

Other implementations may also support the so-called "Individual" quotation style, which is expressed as:

(targetattr = "attr1" || "attr2" || "attr3")

Users migrating to OpenDJ from an implementation that not only supports the "Individual" quotation style, but is actively using it, will need to take care to sanitize any inbound ACIs bearing this style of quotation, else errors will occur during integration.