1 .TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
5 slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
11 file contains configuration information for the
13 daemon. This configuration file is also used by the
15 replication daemon and by the SLAPD tools
23 file consists of a series of global configuration options that apply to
25 as a whole (including all backends), followed by zero or more database
26 backend definitions that contain information specific to a backend
34 # comment - these options apply to every database
35 <global configuration options>
36 # first database definition & configuration options
37 database <backend 1 type>
38 <configuration options specific to backend 1>
39 # subsequent database definitions & configuration options
43 Both the global configuration and each backend-specific section can contain
45 Backend-specific access control directives are used for those entries
46 that belong to the backend, according to their naming context.
47 In case no access control directives are defined for a backend,
48 the appropriate directives from the global configuration section
51 Arguments that should be replaced by actual text are shown in brackets <>.
52 The structure of the access control directives is
54 .B access to <what> "[ by <who> <access> [ <control> ] ]+"
55 Grant access (specified by
57 to a set of entries and/or attributes (specified by
59 by one or more requestors (specified by
64 specifies the entity the access control directive applies to.
69 [dn[.<dnstyle>]=<pattern>]
76 stands for all the entries.
80 selects the entries based on their naming context.
81 The optional style qualifier
85 (the default) implies that
87 is a regular expression, as detailed in
89 matching a normalized string representation of the entry's DN.
90 The regex form of the pattern does not support UTF-8 yet.
92 For all other qualifiers, the pattern is a string representation of
99 indicates the entry whose DN is equal to the pattern.
101 to indicate all the entries immediately below the
104 to indicate all entries in the subtree at the pattern,
106 to indicate all entries below (subordinate) to the pattern.
113 .B filter=<ldapfilter>
114 selects the entries based on a valid LDAP filter as described in RFC 2254.
118 selects the attributes the access control rule applies to.
119 It is a comma-separated list of attribute types, plus the special names
121 indicating access to the entry itself, and
123 indicating access to the entry's children. ObjectClass names may also
124 be specified in this list, which will affect all the attributes that
125 are required and/or allowed by that objectClass.
127 The last three statements are additive; they can be used in sequence
128 to select entities the access rule applies to based on naming context,
129 value and attribute type simultaneously.
133 indicates whom the access rules apply to.
136 statements can appear in an access control statement, indicating the
137 different access privileges to the same resource that apply to different
139 It can have the forms
147 dn[.<dnstyle>[,<modifier>]]=<pattern>
149 group[/<objectclass>[/<attrname>]]
151 peername[.<style>]=<pattern>
152 sockname[.<style>]=<pattern>
153 domain[.<domainstyle>[,<modifier>]]=<pattern>
154 sockurl[.<style>]=<pattern>
155 set[.<style>]=<pattern>
165 They may be specified in combination.
176 means access is granted to unauthenticated users; it is moslty used
177 to limit access to authentication resources (e.g. the
179 attribute) to unauthenticated users for authentication purposes.
183 means access is granted to authenticated users.
187 means access to an entry is allowed to the entry itself (e.g. the entry
188 being accessed and the requesting entry must be the same).
192 means that access is granted to the matching DN.
193 The optional style qualifier
195 allows the same choices of the dn form of the
197 field. In addition, the
201 can exploit substring substitution of submatches in the
203 dn.regex clause by using the form
211 means that access is granted to requests whose DN is listed in the
212 entry being accessed under the
218 means that access is granted to requests whose DN is listed
219 in the group entry whose DN is given by
221 The optional parameters
225 define the objectClass and the member attributeType of the group entry.
226 The optional style qualifier
232 will be expanded accorging to regex (7), and
238 which means that exact match will be used.
241 .BR peername=<pattern> ,
242 .BR sockname=<pattern> ,
243 .BR domain=<pattern> ,
245 .BR sockurl=<pattern>
246 mean that the contacting host IP for
248 the named pipe file name for
250 the contacting host name for
252 and the contacting URL for
259 rules for pattern match described for the
264 clause also allows the
266 style, which succeeds when a fully qualified name exactly matches the
268 pattern, or its trailing part, after a
275 of the contacting host is determined by performing a DNS reverse lookup.
276 As this lookup can easily be spoofed, use of the
278 statement is strongly discouraged. By default, reverse lookups are disabled.
286 means that the access control is determined by the values in the
289 ACIs are experimental; they must be enabled at compile time.
293 .BR transport_ssf=<n> ,
297 set the required Security Strength Factor (ssf) required to grant access.
300 .B <access> ::= [self]{<level>|<priv>}
301 determines the access level or the specific access privileges the
304 Its component are defined as
307 <level> ::= none|auth|compare|search|read|write
308 <priv> ::= {=|+|-}{w|r|s|c|x}+
313 allows special operations like having a certain access level or privilege
314 only in case the operation involves the name of the user that's requesting
316 It implies the user that requests access is bound.
319 access to the member attribute of a group, which allows one to add/delete
320 its own DN from the member list of a group, without affecting other members.
324 access model relies on an incremental interpretation of the access
326 The possible levels are
334 Each access level implies all the preceding ones, thus
336 access will imply all accesses.
341 access means that one is allowed access to an attribute to perform
342 authentication/authorization operations (e.g.
344 with no other access.
345 This is useful to grant unauthenticated users the least possible
346 access level to critical resources, like passwords.
350 access model relies on the explicit setting of access privileges
354 sign resets previously defined accesses; as a consequence, the final
355 access privileges will be only those defined by the clause.
360 signs add/remove access privileges to the existing ones.
372 More than one privilege can be added in one statement.
376 controls the flow of access rule application.
377 It can have the forms
387 the default, means access checking stops in case of match.
388 The other two forms are used to keep on processing access clauses.
391 form allows for other
395 clause to be considered, so that they may result in incrementally altering
396 the privileges, while the
398 form allows for other
400 clauses that match the same target to be processed.
401 Consider the (silly) example
404 access to dn.subtree="dc=example,dc=com" attrs=cn
407 access to dn.subtree="ou=People,dc=example,dc=com"
411 which allows search and compare privileges to everybody under
412 the "dc=example,dc=com" tree, with the second rule allowing
413 also read in the "ou=People" subtree,
414 or the (even more silly) example
417 access to dn.subtree="dc=example,dc=com" attrs=cn
422 which grants everybody search and compare privileges, and adds read
423 privileges to authenticated users.
427 default slapd configuration file
431 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
434 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
436 is derived from University of Michigan LDAP 3.3 Release.