1 .TH SLAPD.ACCESS 5 "28 Oct 2001" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2001 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
5 slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
10 .B ETCDIR/slapd.conf (5)
11 contains configuration information for the
13 daemon. This configuration file is also used by the
15 replication daemon and by the SLAPD tools
23 file consists of a series of global configuration options that apply to
25 as a whole (including all backends), followed by zero or more database
26 backend definitions that contain information specific to a backend
34 # comment - these options apply to every database
35 <global configuration options>
36 # first database definition & configuration options
37 database <backend 1 type>
38 <configuration options specific to backend 1>
39 # subsequent database definitions & configuration options
43 Both the global configuration and each backend-specific section can contain
45 Backend-specific access control directives are used for those entries
46 that belong to the backend, according to their naming context.
47 In case no access control directives are defined for a backend,
48 the appropriate directives from the global configuration section
51 Arguments that should be replaced by actual text are shown in brackets <>.
52 The structure of the access control directives is
54 .B access to <what> [ by <who> <access> [ <control> ] ]+
55 Grant access (specified by
57 to a set of entries and/or attributes (specified by
59 by one or more requestors (specified by
64 specifies the entity the access control directive applies to.
69 [dn[.<dnstyle>]=<pattern>]
76 stands for all the entries.
80 selects the entries based on their naming context.
81 The optional style qualificator
85 which implies a regex (7)
87 will be used (the default),
93 for an exact match of the entry,
95 to indicate all the entries immediately below the
98 to indicate all the subentries of an entry including the entry itself,
100 to indicate all the subentries of an entry not including the entry itself.
105 The regex form of the pattern does not support UTF-8 (7) yet.
108 .B filter=<ldapfilter>
109 selects the entries based on a valid LDAP filter as described in RFC 2254.
113 selects the attributes the access control rule applies to.
114 It is a comma-separated list of attribute types, plus the special names
116 indicating access to the entry itself, and
118 indicating access to the entry's children.
120 The last three statements are additive; they can be used in sequence
121 to select entities the access rule applies to based on naming context,
122 value and attribute type simultaneously.
126 indicates whom the access rules apply to.
129 statements can appear in an access control statement, indicating the
130 different access privileges to the same resource that apply to different
132 It can have the forms
140 dn[.<dnstyle>]=<pattern>
142 group[/<objectclass>[/<attrname>]]
144 peername[.<style>]=<pattern>
145 sockname[.<style>]=<pattern>
146 domain[.<style>]=<pattern>
147 sockurl[.<style>]=<pattern>
148 set[.<style>]=<pattern>
153 Each of them can be prefixed by the modifiers
168 means access is granted to unauthenticated users; it is moslty used
169 to limit access to authentication resources (e.g. the
171 attribute) to unauthenticated users for authentication purposes.
175 means access is granted to authenticated users.
179 means access to an entry is allowed to the entry itself (e.g. the entry
180 being accessed and the requesting entry must be the same).
184 means that access is granted to the matching dn.
185 The optional style qualificator
187 allows the same choices of the dn form of the
194 can exploit substring substitution of submatches in the
204 means that access is granted to requests whose dn is listed in the
205 entry being accessed under the
211 means that access is granted to requests whose dn is listed
212 in the group entry whose dn is given by
214 The optional parameters
218 define the objectClass and the member attributeType of the group entry.
219 The optional style qualificator
225 will be expanded accorging to regex (7), and
231 which means that an exact match will be used.
234 .BR peername=<pattern> ,
235 .BR sockname=<pattern> ,
236 .BR domain=<pattern> ,
238 .BR sockurl=<pattern>
239 mean that the contacting host IP for
241 the named pipe file name for
243 the contacting host name for
245 and the contacting URL for
252 rules for pattern match described for the
262 means that the access control is determined by the values in the
265 ACIs are experimental; they must be enabled at compile time.
269 .BR transport_ssf=<n> ,
273 set the required Security Strenght Factor (ssf) required to grant access.
274 They are prefixed to the
279 .B <access> ::= [self]{<level>|<priv>}
280 determines the access level or the specific access privileges the
283 Its component are defined as
286 <level> ::= none|auth|compare|search|read|write
287 <priv> ::= {=|+|-}{w|r|s|c|x}+
292 allows special operations like having a certain access level or privilege
293 only in case the operation involves the name of the user that's requesting
295 It implies the user that requests access is bound.
298 access to the member attribute of a group, which allows one to add/delete
299 its own DN from the member list of a group, without affecting other members.
303 access model relies on an incremental interpretation of the access
305 The possible levels are
313 Each access level implies all the preceding ones, thus
315 access will imply all accesses.
320 access means that one is allowed access to an attribute to perform
321 authentication operations (e.g.
323 with no other access.
324 This is useful to grant unauthenticated users the least possible
325 access level to critical resources, like passwords.
329 access model relies on the explicit setting of access privileges
333 sign resets previously defined accesses; as a consequence, the final
334 access privileges will be only those defined by the clause.
339 signs add/remove access privileges to the existing ones.
351 More than one privilege can be added in one statement.
355 controls the flow of access rule application.
356 It can have the forms
366 the default, means access checking stops in case of match.
367 The other two forms are used to keep on processing access clauses.
370 form allows for other
374 clause to be considered, so that they may result in incrementally altering
375 the privileges, while the
377 form allows for other
379 clauses that match the same target to be processed.
380 Consider the (silly) example
383 access to dn.subtree="dc=example,dc=com" attrs=cn
386 access to dn.subtree="ou=People,dc=example,dc=com"
390 which allows search and compare privileges to everybody under
391 the "dc=example,dc=com" tree, with the seconf rule allowing
392 also read in the "ou=People" subtree,
393 or the (even more silly) example
396 access to dn.subtree="dc=example,dc=com" attrs=cn
401 which grants everybody search and compare privileges, and adds read
402 privileges to authenticated users.
408 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
411 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
413 is derived from University of Michigan LDAP 3.3 Release.