DS 7.2.4

subtreeSpecification

A subtree specification provides a way to describe a subset of entries in a subtree of the DIT. A subtree begins at a base entry and includes the subordinates of that entry to an optionally specified lower boundary, possibly including leaf entries.

The following example uses a subtree specification to apply privileges to Directory Administrators group members under ou=people (relative to the parent of the subentry). In other words, this sample applies to entries under ou=people,dc=example,dc=com:

dn: cn=Administrator Privileges,dc=example,dc=com
objectClass: collectiveAttributeSubentry
objectClass: extensibleObject
objectClass: subentry
objectClass: top
cn: Administrator Privileges
ds-privilege-name;collective: config-read
ds-privilege-name;collective: config-write
ds-privilege-name;collective: ldif-export
ds-privilege-name;collective: modify-acl
ds-privilege-name;collective: password-reset
ds-privilege-name;collective: proxied-auth
subtreeSpecification: {base "ou=people", specificationFilter
"(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }

Notice that the subentry where this operational attribute occurs sets the context that implicitly defines the bounds of the subtree.

Single value

true

Origin

RFC 3672

Usage

directoryOperation

Ordering matching rule

octetStringOrderingMatch

OID

2.5.18.6

User modification allowed

true

Schema file

00-core.ldif

Names

subtreeSpecification

Used by

inheritedCollectiveAttributeSubentry, inheritedFromDNCollectiveAttributeSubentry, inheritedFromRDNCollectiveAttributeSubentry, subentry

Syntax

SubtreeSpecification

Equality matching rule

octetStringMatch

Copyright © 2010-2023 ForgeRock, all rights reserved.