1 .TH SLAPD.ACCESS 5 "28 Oct 2001" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
5 slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
11 file contains configuration information for the
13 daemon. This configuration file is also used by the
15 replication daemon and by the SLAPD tools
23 file consists of a series of global configuration options that apply to
25 as a whole (including all backends), followed by zero or more database
26 backend definitions that contain information specific to a backend
34 # comment - these options apply to every database
35 <global configuration options>
36 # first database definition & configuration options
37 database <backend 1 type>
38 <configuration options specific to backend 1>
39 # subsequent database definitions & configuration options
43 Both the global configuration and each backend-specific section can contain
45 Backend-specific access control directives are used for those entries
46 that belong to the backend, according to their naming context.
47 In case no access control directives are defined for a backend,
48 the appropriate directives from the global configuration section
51 Arguments that should be replaced by actual text are shown in brackets <>.
52 The structure of the access control directives is
54 .B access to <what> [ by <who> <access> [ <control> ] ]+
55 Grant access (specified by
57 to a set of entries and/or attributes (specified by
59 by one or more requestors (specified by
64 specifies the entity the access control directive applies to.
69 [dn[.<dnstyle>]=<pattern>]
76 stands for all the entries.
80 selects the entries based on their naming context.
81 The optional style qualificator
85 which implies a regular expression pattern, as detailed in
87 will be used (the default),
93 for an exact match of the entry,
95 to indicate all the entries immediately below the
98 to indicate all the subentries of an entry including the entry itself,
100 to indicate all the subentries of an entry not including the entry itself.
105 The regex form of the pattern does not support UTF-8 (7) yet.
108 .B filter=<ldapfilter>
109 selects the entries based on a valid LDAP filter as described in RFC 2254.
113 selects the attributes the access control rule applies to.
114 It is a comma-separated list of attribute types, plus the special names
116 indicating access to the entry itself, and
118 indicating access to the entry's children. ObjectClass names may also
119 be specified in this list, which will affect all the attributes that
120 are required and/or allowed by that objectClass.
122 The last three statements are additive; they can be used in sequence
123 to select entities the access rule applies to based on naming context,
124 value and attribute type simultaneously.
128 indicates whom the access rules apply to.
131 statements can appear in an access control statement, indicating the
132 different access privileges to the same resource that apply to different
134 It can have the forms
142 dn[.<dnstyle>]=<pattern>
144 group[/<objectclass>[/<attrname>]]
146 peername[.<style>]=<pattern>
147 sockname[.<style>]=<pattern>
148 domain[.<style>]=<pattern>
149 sockurl[.<style>]=<pattern>
150 set[.<style>]=<pattern>
160 They may be specified in combination.
171 means access is granted to unauthenticated users; it is moslty used
172 to limit access to authentication resources (e.g. the
174 attribute) to unauthenticated users for authentication purposes.
178 means access is granted to authenticated users.
182 means access to an entry is allowed to the entry itself (e.g. the entry
183 being accessed and the requesting entry must be the same).
187 means that access is granted to the matching dn.
188 The optional style qualificator
190 allows the same choices of the dn form of the
197 can exploit substring substitution of submatches in the
207 means that access is granted to requests whose dn is listed in the
208 entry being accessed under the
214 means that access is granted to requests whose dn is listed
215 in the group entry whose dn is given by
217 The optional parameters
221 define the objectClass and the member attributeType of the group entry.
222 The optional style qualificator
228 will be expanded accorging to regex (7), and
234 which means that an exact match will be used.
237 .BR peername=<pattern> ,
238 .BR sockname=<pattern> ,
239 .BR domain=<pattern> ,
241 .BR sockurl=<pattern>
242 mean that the contacting host IP for
244 the named pipe file name for
246 the contacting host name for
248 and the contacting URL for
255 rules for pattern match described for the
265 means that the access control is determined by the values in the
268 ACIs are experimental; they must be enabled at compile time.
272 .BR transport_ssf=<n> ,
276 set the required Security Strength Factor (ssf) required to grant access.
279 .B <access> ::= [self]{<level>|<priv>}
280 determines the access level or the specific access privileges the
283 Its component are defined as
286 <level> ::= none|auth|compare|search|read|write
287 <priv> ::= {=|+|-}{w|r|s|c|x}+
292 allows special operations like having a certain access level or privilege
293 only in case the operation involves the name of the user that's requesting
295 It implies the user that requests access is bound.
298 access to the member attribute of a group, which allows one to add/delete
299 its own DN from the member list of a group, without affecting other members.
303 access model relies on an incremental interpretation of the access
305 The possible levels are
313 Each access level implies all the preceding ones, thus
315 access will imply all accesses.
320 access means that one is allowed access to an attribute to perform
321 authentication/authorization operations (e.g.
323 with no other access.
324 This is useful to grant unauthenticated users the least possible
325 access level to critical resources, like passwords.
329 access model relies on the explicit setting of access privileges
333 sign resets previously defined accesses; as a consequence, the final
334 access privileges will be only those defined by the clause.
339 signs add/remove access privileges to the existing ones.
351 More than one privilege can be added in one statement.
355 controls the flow of access rule application.
356 It can have the forms
366 the default, means access checking stops in case of match.
367 The other two forms are used to keep on processing access clauses.
370 form allows for other
374 clause to be considered, so that they may result in incrementally altering
375 the privileges, while the
377 form allows for other
379 clauses that match the same target to be processed.
380 Consider the (silly) example
383 access to dn.subtree="dc=example,dc=com" attrs=cn
386 access to dn.subtree="ou=People,dc=example,dc=com"
390 which allows search and compare privileges to everybody under
391 the "dc=example,dc=com" tree, with the seconf rule allowing
392 also read in the "ou=People" subtree,
393 or the (even more silly) example
396 access to dn.subtree="dc=example,dc=com" attrs=cn
401 which grants everybody search and compare privileges, and adds read
402 privileges to authenticated users.
408 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
411 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
413 is derived from University of Michigan LDAP 3.3 Release.