18.5. Limitations of ACIs
When you set ACIs, the following restrictions apply:
- If your directory database is distributed over multiple servers, the following restrictions apply to the keywords you can use in ACIs:
- ACIs depending on group entries using the
groupdn
keyword must be located on the same server as the group entry.If the group is dynamic, all members of the group must have an entry on the server. Member entries of static groups can be located on the remote server. - ACIs depending on role definitions using the
roledn
keyword, must be located on the same server as the role definition entry. Every entry that is intended to have the role must also be located on the same server.
However, you can match values stored in the target entry with values stored in the entry of the bind user by, for example, using theuserattr
keyword. In this case, access is evaluated normally even if the bind user does not have an entry on the server that stores the ACI.For further details, see Section 2.3.3, “Database Links and Access Control Evaluation”. - You cannot use virtual attributes, such as Class of Service (CoS) attributes, in the following ACI keywords:
targetfilter
targattrfilters
userattr
For details, see Chapter 8, Organizing and Grouping Entries. - Access control rules are evaluated only on the local server. For example, if you specify the host name of a server in LDAP URLs in ACI keywords, the URL will be ignored.