Pseudo DNs
Pseudo DNs are used in access control definition and evaluation.
The directory contains several pseudo DNs. For example, group:cn=Anybody
and access-id:cn=this
,
which are used to refer to large numbers of DNs that share a common
characteristic, in relation to either the operation that is performed
or the object on which the operation is being performed.
Three pseudo DNs are supported by LDAP version 3.
- access-id: cn=this
- When specified as part of an ACL, this DN refers to the bindDN,
which matches the DN on which the operation is performed. For example,
if an operation is performed on the object
cn=personA, o=sample
and the bindDn iscn=personA, o=sample
, the permissions that are granted are a combination of those permissions that are given tocn=this
and those permissions that are given tocn=personA, o=sample
. - group: cn=anybody
- When specified as part of an ACL, this DN refers to all users, even those users that are unauthenticated. Users cannot be removed from this group, and this group cannot be removed from the database.
- group: cn=Authenticated
- This DN refers to any DN that is authenticated by the directory.
The method of authentication is not considered. Note:
cn=Authenticated
refers to a DN that is authenticated anywhere on the server, regardless of where the object that represents the DN is located. It must be used with caution, however. For example, under one suffix,cn=Secret
can be a node that is calledcn=Confidential Material
, which has an acl entry ofgroup:cn=Authenticated:normal:rsc
. Under another suffix,cn=Common
can be the nodecn=Public Material
. If these two trees are on the same server, a bind tocn=Public Material
is considered authenticated, and gets permission to the normal class on thecn= Confidential Material
object.