Is used for attributes whose values represent ACL entries.
#define SYN_OBJECT_ACL 17
NDS ACL
2.16.840.1.113719.1.1.5.1.17
typedef struct { pnstr8 protectedAttrName; pnstr8 subjectName; nuint32 privileges; } Object_ACL_T;
uint32 Length unicode Name of Protected Attribute Align4 unicode Subject Name Align4 uint32 Privileges
ndsAcl = privileges "#" scope "#" subjectname "#" protectedattrname privileges = uint32string scope = "entry" / "subtree" subjectname = distinguishedname / "[Self]" / "[Creator]" / "[Public]" / "[Inheritance Mask]" / "[Root]" protectedattrname = caseignorestring / "[Entry Rights]" / "[All Attribute Rights]"
ndsAcl ::= SEQUENCE { privileges uint32, subjectName LDAPDN, protectedAttrName LDAPString }
For help in understanding the syntax definition template, see Reading Syntax Definitions.
An Object ACL value can protect either an object or an attribute. The protected object is always the one that contains the ACL attribute. If an ACL entry is to apply to the object as a whole, the protected attribute name should be left empty (NULL). If a specific attribute is to be protected, it should be named in the ACL entry.
You can match an ACL value against either a subject (trustee) or a privilege set, or both. If the subject name is not to be considered in the comparison, specify it as NULL. If the privilege set is not to be considered in the comparison, specify an “approximate match” with a privilege set value of zero.
The Object ACL syntax supports both matching for equality and approximate matching. The difference between matching for equality and approximate matching concerns the privileges field of the comparison value. When matching for equality, the privilege set must match exactly for the comparison to succeed. When approximate matching has been selected, any bits in the privilege field in the filter that are set must also be set in the target. Any other bits in the target are ignored.
Values with the same protectedAttrName and subjectName fields are considered to be duplicate, and so are not permitted.
For information on bit mask for the privileges field and on the special values available for protectedAttrName and subjectName fields, see the Object_ACL_T
structure (NDK: Novell eDirectory Core Services).