1 .TH SLAPD.ACCESS 5 "28 Oct 2001" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2001 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
5 slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
11 file contains configuration information for the
13 daemon. This configuration file is also used by the
15 replication daemon and by the SLAPD tools
23 file consists of a series of global configuration options that apply to
25 as a whole (including all backends), followed by zero or more database
26 backend definitions that contain information specific to a backend
34 # comment - these options apply to every database
35 <global configuration options>
36 # first database definition & configuration options
37 database <backend 1 type>
38 <configuration options specific to backend 1>
39 # subsequent database definitions & configuration options
43 Both the global configuration and each backend-specific section can contain
45 Backend-specific access control directives are used for those entries
46 that belong to the backend, according to their naming context.
47 In case no access control directives are defined for a backend,
48 the appropriate directives from the global configuration section
51 Arguments that should be replaced by actual text are shown in brackets <>.
52 The structure of the access control directives is
54 .B access to <what> [ by <who> <access> [ <control> ] ]+
55 Grant access (specified by
57 to a set of entries and/or attributes (specified by
59 by one or more requestors (specified by
64 specifies the entity the access control directive applies to.
69 [dn[.<dnstyle>]=<pattern>]
76 stands for all the entries.
80 selects the entries based on their naming context.
81 The optional style qualificator
85 which implies a regular expression pattern, as detailed in
87 will be used (the default),
93 for an exact match of the entry,
95 to indicate all the entries immediately below the
98 to indicate all the subentries of an entry including the entry itself,
100 to indicate all the subentries of an entry not including the entry itself.
105 The regex form of the pattern does not support UTF-8 (7) yet.
108 .B filter=<ldapfilter>
109 selects the entries based on a valid LDAP filter as described in RFC 2254.
113 selects the attributes the access control rule applies to.
114 It is a comma-separated list of attribute types, plus the special names
116 indicating access to the entry itself, and
118 indicating access to the entry's children.
120 The last three statements are additive; they can be used in sequence
121 to select entities the access rule applies to based on naming context,
122 value and attribute type simultaneously.
126 indicates whom the access rules apply to.
129 statements can appear in an access control statement, indicating the
130 different access privileges to the same resource that apply to different
132 It can have the forms
140 dn[.<dnstyle>]=<pattern>
142 group[/<objectclass>[/<attrname>]]
144 peername[.<style>]=<pattern>
145 sockname[.<style>]=<pattern>
146 domain[.<style>]=<pattern>
147 sockurl[.<style>]=<pattern>
148 set[.<style>]=<pattern>
158 They may be specified in combination.
169 means access is granted to unauthenticated users; it is moslty used
170 to limit access to authentication resources (e.g. the
172 attribute) to unauthenticated users for authentication purposes.
176 means access is granted to authenticated users.
180 means access to an entry is allowed to the entry itself (e.g. the entry
181 being accessed and the requesting entry must be the same).
185 means that access is granted to the matching dn.
186 The optional style qualificator
188 allows the same choices of the dn form of the
195 can exploit substring substitution of submatches in the
205 means that access is granted to requests whose dn is listed in the
206 entry being accessed under the
212 means that access is granted to requests whose dn is listed
213 in the group entry whose dn is given by
215 The optional parameters
219 define the objectClass and the member attributeType of the group entry.
220 The optional style qualificator
226 will be expanded accorging to regex (7), and
232 which means that an exact match will be used.
235 .BR peername=<pattern> ,
236 .BR sockname=<pattern> ,
237 .BR domain=<pattern> ,
239 .BR sockurl=<pattern>
240 mean that the contacting host IP for
242 the named pipe file name for
244 the contacting host name for
246 and the contacting URL for
253 rules for pattern match described for the
263 means that the access control is determined by the values in the
266 ACIs are experimental; they must be enabled at compile time.
270 .BR transport_ssf=<n> ,
274 set the required Security Strength Factor (ssf) required to grant access.
277 .B <access> ::= [self]{<level>|<priv>}
278 determines the access level or the specific access privileges the
281 Its component are defined as
284 <level> ::= none|auth|compare|search|read|write
285 <priv> ::= {=|+|-}{w|r|s|c|x}+
290 allows special operations like having a certain access level or privilege
291 only in case the operation involves the name of the user that's requesting
293 It implies the user that requests access is bound.
296 access to the member attribute of a group, which allows one to add/delete
297 its own DN from the member list of a group, without affecting other members.
301 access model relies on an incremental interpretation of the access
303 The possible levels are
311 Each access level implies all the preceding ones, thus
313 access will imply all accesses.
318 access means that one is allowed access to an attribute to perform
319 authentication/authorization operations (e.g.
321 with no other access.
322 This is useful to grant unauthenticated users the least possible
323 access level to critical resources, like passwords.
327 access model relies on the explicit setting of access privileges
331 sign resets previously defined accesses; as a consequence, the final
332 access privileges will be only those defined by the clause.
337 signs add/remove access privileges to the existing ones.
349 More than one privilege can be added in one statement.
353 controls the flow of access rule application.
354 It can have the forms
364 the default, means access checking stops in case of match.
365 The other two forms are used to keep on processing access clauses.
368 form allows for other
372 clause to be considered, so that they may result in incrementally altering
373 the privileges, while the
375 form allows for other
377 clauses that match the same target to be processed.
378 Consider the (silly) example
381 access to dn.subtree="dc=example,dc=com" attrs=cn
384 access to dn.subtree="ou=People,dc=example,dc=com"
388 which allows search and compare privileges to everybody under
389 the "dc=example,dc=com" tree, with the seconf rule allowing
390 also read in the "ou=People" subtree,
391 or the (even more silly) example
394 access to dn.subtree="dc=example,dc=com" attrs=cn
399 which grants everybody search and compare privileges, and adds read
400 privileges to authenticated users.
406 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
409 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
411 is derived from University of Michigan LDAP 3.3 Release.