Pseudo DNs

Pseudo DNs are used in access control definition and evaluation.

The directory contains several pseudo DNs. For example, group:cn=Anybody and access-id:cn=this, which are used to refer to large numbers of DNs that share a common characteristic, in relation to either the operation that is performed or the object on which the operation is being performed.

Three pseudo DNs are supported by LDAP version 3.

access-id: cn=this: When specified as part of an ACL, this DN refers to the bindDN, which matches the DN on which the operation is performed. For example, if an operation is performed on the object cn=personA, o=sample and the bindDn is cn=personA, o=sample, the permissions that are granted are a combination of those permissions that are given to cn=this and those permissions that are given to cn=personA, o=sample.
group: cn=anybody: When specified as part of an ACL, this DN refers to all users, even those users that are unauthenticated. Users cannot be removed from this group, and this group cannot be removed from the database.
group: cn=Authenticated: This DN refers to any DN that is authenticated by the directory. The method of authentication is not considered.
Note: cn=Authenticated refers to a DN that is authenticated anywhere on the server, regardless of where the object that represents the DN is located. It must be used with caution, however. For example, under one suffix, cn=Secret can be a node that is called cn=Confidential Material, which has an acl entry of group:cn=Authenticated:normal:rsc. Under another suffix, cn=Common can be the node cn=Public Material. If these two trees are on the same server, a bind to cn=Public Material is considered authenticated, and gets permission to the normal class on the cn= Confidential Material object.