1 .TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
5 slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
11 file contains configuration information for the
13 daemon. This configuration file is also used by the
15 replication daemon and by the SLAPD tools
23 file consists of a series of global configuration options that apply to
25 as a whole (including all backends), followed by zero or more database
26 backend definitions that contain information specific to a backend
34 # comment - these options apply to every database
35 <global configuration options>
36 # first database definition & configuration options
37 database <backend 1 type>
38 <configuration options specific to backend 1>
39 # subsequent database definitions & configuration options
43 Both the global configuration and each backend-specific section can contain
45 Backend-specific access control directives are used for those entries
46 that belong to the backend, according to their naming context.
47 In case no access control directives are defined for a backend,
48 the appropriate directives from the global configuration section
51 Arguments that should be replaced by actual text are shown in brackets <>.
52 The structure of the access control directives is
54 .B access to <what> "[ by <who> <access> [ <control> ] ]+"
55 Grant access (specified by
57 to a set of entries and/or attributes (specified by
59 by one or more requestors (specified by
64 specifies the entity the access control directive applies to.
69 [dn[.<dnstyle>]=<pattern>]
76 stands for all the entries.
80 selects the entries based on their naming context.
81 The optional style qualificator
85 which implies a regular expression pattern, as detailed in
87 will be used (the default),
93 for an exact match of the entry,
95 to indicate all the entries immediately below the
98 to indicate all the subentries of an entry including the entry itself,
100 to indicate all the subentries of an entry not including the entry itself.
105 The regex form of the pattern does not support UTF-8 yet.
108 .B filter=<ldapfilter>
109 selects the entries based on a valid LDAP filter as described in RFC 2254.
113 selects the attributes the access control rule applies to.
114 It is a comma-separated list of attribute types, plus the special names
116 indicating access to the entry itself, and
118 indicating access to the entry's children. ObjectClass names may also
119 be specified in this list, which will affect all the attributes that
120 are required and/or allowed by that objectClass.
122 The last three statements are additive; they can be used in sequence
123 to select entities the access rule applies to based on naming context,
124 value and attribute type simultaneously.
128 indicates whom the access rules apply to.
131 statements can appear in an access control statement, indicating the
132 different access privileges to the same resource that apply to different
134 It can have the forms
142 dn[.<dnstyle>[,<modifier>]]=<pattern>
144 group[/<objectclass>[/<attrname>]]
146 peername[.<style>]=<pattern>
147 sockname[.<style>]=<pattern>
148 domain[.<domainstyle>[,<modifier>]]=<pattern>
149 sockurl[.<style>]=<pattern>
150 set[.<style>]=<pattern>
160 They may be specified in combination.
171 means access is granted to unauthenticated users; it is moslty used
172 to limit access to authentication resources (e.g. the
174 attribute) to unauthenticated users for authentication purposes.
178 means access is granted to authenticated users.
182 means access to an entry is allowed to the entry itself (e.g. the entry
183 being accessed and the requesting entry must be the same).
187 means that access is granted to the matching dn.
188 The optional style qualificator
190 allows the same choices of the dn form of the
197 can exploit substring substitution of submatches in the
207 means that access is granted to requests whose dn is listed in the
208 entry being accessed under the
214 means that access is granted to requests whose dn is listed
215 in the group entry whose dn is given by
217 The optional parameters
221 define the objectClass and the member attributeType of the group entry.
222 The optional style qualificator
228 will be expanded accorging to regex (7), and
234 which means that an exact match will be used.
237 .BR peername=<pattern> ,
238 .BR sockname=<pattern> ,
239 .BR domain=<pattern> ,
241 .BR sockurl=<pattern>
242 mean that the contacting host IP for
244 the named pipe file name for
246 the contacting host name for
248 and the contacting URL for
255 rules for pattern match described for the
260 clause also allows the
262 style, which succeeds when a fully qualified name exactly matches the
264 pattern, or its trailing part, after a
271 of the contacting host is determined by performing a DNS reverse lookup.
272 As this lookup can easily be spoofed, use of the
274 statement is strongly discouraged. By default, reverse lookups are disabled.
282 means that the access control is determined by the values in the
285 ACIs are experimental; they must be enabled at compile time.
289 .BR transport_ssf=<n> ,
293 set the required Security Strength Factor (ssf) required to grant access.
296 .B <access> ::= [self]{<level>|<priv>}
297 determines the access level or the specific access privileges the
300 Its component are defined as
303 <level> ::= none|auth|compare|search|read|write
304 <priv> ::= {=|+|-}{w|r|s|c|x}+
309 allows special operations like having a certain access level or privilege
310 only in case the operation involves the name of the user that's requesting
312 It implies the user that requests access is bound.
315 access to the member attribute of a group, which allows one to add/delete
316 its own DN from the member list of a group, without affecting other members.
320 access model relies on an incremental interpretation of the access
322 The possible levels are
330 Each access level implies all the preceding ones, thus
332 access will imply all accesses.
337 access means that one is allowed access to an attribute to perform
338 authentication/authorization operations (e.g.
340 with no other access.
341 This is useful to grant unauthenticated users the least possible
342 access level to critical resources, like passwords.
346 access model relies on the explicit setting of access privileges
350 sign resets previously defined accesses; as a consequence, the final
351 access privileges will be only those defined by the clause.
356 signs add/remove access privileges to the existing ones.
368 More than one privilege can be added in one statement.
372 controls the flow of access rule application.
373 It can have the forms
383 the default, means access checking stops in case of match.
384 The other two forms are used to keep on processing access clauses.
387 form allows for other
391 clause to be considered, so that they may result in incrementally altering
392 the privileges, while the
394 form allows for other
396 clauses that match the same target to be processed.
397 Consider the (silly) example
400 access to dn.subtree="dc=example,dc=com" attrs=cn
403 access to dn.subtree="ou=People,dc=example,dc=com"
407 which allows search and compare privileges to everybody under
408 the "dc=example,dc=com" tree, with the second rule allowing
409 also read in the "ou=People" subtree,
410 or the (even more silly) example
413 access to dn.subtree="dc=example,dc=com" attrs=cn
418 which grants everybody search and compare privileges, and adds read
419 privileges to authenticated users.
423 default slapd configuration file
427 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
430 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
432 is derived from University of Michigan LDAP 3.3 Release.