subtreeSpecification

A subtree specification provides a way to describe a subset of entries in a subtree of the DIT. A subtree begins at a base entry and includes the subordinates of that entry to an optionally specified lower boundary, possibly including leaf entries. The following example uses a subtree specification to apply privileges to Directory Administrators group members under ou=people (relative to the parent of the subentry). In other words, this sample applies to entries under ou=people,dc=example,dc=com:

dn: cn=Administrator Privileges,dc=example,dc=com
objectClass: collectiveAttributeSubentry
objectClass: extensibleObject
objectClass: subentry
objectClass: top
cn: Administrator Privileges
ds-privilege-name;collective: config-read
ds-privilege-name;collective: config-write
ds-privilege-name;collective: ldif-export
ds-privilege-name;collective: modify-acl
ds-privilege-name;collective: password-reset
ds-privilege-name;collective: proxied-auth
subtreeSpecification: {base "ou=people", specificationFilter
"(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
Notice that the subentry where this operational attribute occurs
sets the context that implicitly defines the bounds of the subtree.

Origin

RFC 3672

Usage

directoryOperation

OID

2.5.18.6

Equality Matching Rule

octetStringMatch

Single Value

true

Names

subtreeSpecification

Ordering Matching Rule

octetStringOrderingMatch

User Modification Allowed

true

Used By

inheritedCollectiveAttributeSubentry, inheritedFromDNCollectiveAttributeSubentry, inheritedFromRDNCollectiveAttributeSubentry, subentry

Schema File

00-core.ldif

Syntax

SubtreeSpecification