A subtree specification provides a way to describe a subset of entries in a subtree of the DIT. A subtree begins at a base entry and includes the subordinates of that entry to an optionally specified lower boundary, possibly including leaf entries.

The following example uses a subtree specification to apply privileges to Directory Administrators group members under ou=people (relative to the parent of the subentry). In other words, this sample applies to entries under ou=people,dc=example,dc=com:

dn: cn=Administrator Privileges,dc=example,dc=com
objectClass: collectiveAttributeSubentry
objectClass: extensibleObject
objectClass: subentry
objectClass: top
cn: Administrator Privileges
ds-privilege-name;collective: config-read
ds-privilege-name;collective: config-write
ds-privilege-name;collective: ldif-export
ds-privilege-name;collective: modify-acl
ds-privilege-name;collective: password-reset
ds-privilege-name;collective: proxied-auth
subtreeSpecification: {base "ou=people", specificationFilter
  "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }

Notice that the subentry where this operational attribute occurs sets the context that implicitly defines the bounds of the subtree.

Origin RFC 3672
Usage directoryOperation
Equality Matching Rule octetStringMatch
Single Value true
Names subtreeSpecification
Ordering Matching Rule octetStringOrderingMatch
User Modification Allowed true
Used By inheritedCollectiveAttributeSubentry, inheritedFromDNCollectiveAttributeSubentry, inheritedFromRDNCollectiveAttributeSubentry, subentry
Schema File 00-core.ldif
Syntax Subtree Specification
Read a different version of :