18.5. Limitations of ACIs


When you set ACIs, the following restrictions apply:
  • If your directory database is distributed over multiple servers, the following restrictions apply to the keywords you can use in ACIs:
    • ACIs depending on group entries using the groupdn keyword must be located on the same server as the group entry.
      If the group is dynamic, all members of the group must have an entry on the server. Member entries of static groups can be located on the remote server.
    • ACIs depending on role definitions using the roledn keyword, must be located on the same server as the role definition entry. Every entry that is intended to have the role must also be located on the same server.
    However, you can match values stored in the target entry with values stored in the entry of the bind user by, for example, using the userattr keyword. In this case, access is evaluated normally even if the bind user does not have an entry on the server that stores the ACI.
  • You cannot use virtual attributes, such as Class of Service (CoS) attributes, in the following ACI keywords:
    • targetfilter
    • targattrfilters
    • userattr
  • Access control rules are evaluated only on the local server. For example, if you specify the host name of a server in LDAP URLs in ACI keywords, the URL will be ignored.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.