1 .TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
5 slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
11 file contains configuration information for the
13 daemon. This configuration file is also used by the
15 replication daemon and by the SLAPD tools
23 file consists of a series of global configuration options that apply to
25 as a whole (including all backends), followed by zero or more database
26 backend definitions that contain information specific to a backend
34 # comment - these options apply to every database
35 <global configuration options>
36 # first database definition & configuration options
37 database <backend 1 type>
38 <configuration options specific to backend 1>
39 # subsequent database definitions & configuration options
43 Both the global configuration and each backend-specific section can contain
45 Backend-specific access control directives are used for those entries
46 that belong to the backend, according to their naming context.
47 In case no access control directives are defined for a backend,
48 the appropriate directives from the global configuration section
51 Arguments that should be replaced by actual text are shown in brackets <>.
52 The structure of the access control directives is
54 .B access to <what> "[ by <who> <access> [ <control> ] ]+"
55 Grant access (specified by
57 to a set of entries and/or attributes (specified by
59 by one or more requestors (specified by
64 specifies the entity the access control directive applies to.
69 [dn[.<dnstyle>]=<pattern>]
76 stands for all the entries.
80 selects the entries based on their naming context.
81 The optional style qualificator
85 which implies a regular expression pattern, as detailed in
87 will be used (the default),
93 for an exact match of the entry,
95 to indicate all the entries immediately below the
98 to indicate all the subentries of an entry including the entry itself,
100 to indicate all the subentries of an entry not including the entry itself.
105 The regex form of the pattern does not support UTF-8 yet.
108 .B filter=<ldapfilter>
109 selects the entries based on a valid LDAP filter as described in RFC 2254.
113 selects the attributes the access control rule applies to.
114 It is a comma-separated list of attribute types, plus the special names
116 indicating access to the entry itself, and
118 indicating access to the entry's children. ObjectClass names may also
119 be specified in this list, which will affect all the attributes that
120 are required and/or allowed by that objectClass.
122 The last three statements are additive; they can be used in sequence
123 to select entities the access rule applies to based on naming context,
124 value and attribute type simultaneously.
128 indicates whom the access rules apply to.
131 statements can appear in an access control statement, indicating the
132 different access privileges to the same resource that apply to different
134 It can have the forms
142 dn[.<dnstyle>[,<modifier>]]=<pattern>
144 group[/<objectclass>[/<attrname>]]
146 peername[.<style>]=<pattern>
147 sockname[.<style>]=<pattern>
148 domain[.<domainstyle>[,<modifier>]]=<pattern>
149 sockurl[.<style>]=<pattern>
150 set[.<style>]=<pattern>
160 They may be specified in combination.
171 means access is granted to unauthenticated users; it is moslty used
172 to limit access to authentication resources (e.g. the
174 attribute) to unauthenticated users for authentication purposes.
178 means access is granted to authenticated users.
182 means access to an entry is allowed to the entry itself (e.g. the entry
183 being accessed and the requesting entry must be the same).
187 means that access is granted to the matching dn.
188 The optional style qualificator
190 allows the same choices of the dn form of the
197 can exploit substring substitution of submatches in the
207 means that access is granted to requests whose dn is listed in the
208 entry being accessed under the
214 means that access is granted to requests whose dn is listed
215 in the group entry whose dn is given by
217 The optional parameters
221 define the objectClass and the member attributeType of the group entry.
222 The optional style qualificator
228 will be expanded accorging to regex (7), and
234 which means that an exact match will be used.
237 .BR peername=<pattern> ,
238 .BR sockname=<pattern> ,
239 .BR domain=<pattern> ,
241 .BR sockurl=<pattern>
242 mean that the contacting host IP for
244 the named pipe file name for
246 the contacting host name for
248 and the contacting URL for
255 rules for pattern match described for the
260 clause also allows the
262 style, which succeeds when a fully qualified name exactly matches the
264 pattern, or its trailing part, after a
276 means that the access control is determined by the values in the
279 ACIs are experimental; they must be enabled at compile time.
283 .BR transport_ssf=<n> ,
287 set the required Security Strength Factor (ssf) required to grant access.
290 .B <access> ::= [self]{<level>|<priv>}
291 determines the access level or the specific access privileges the
294 Its component are defined as
297 <level> ::= none|auth|compare|search|read|write
298 <priv> ::= {=|+|-}{w|r|s|c|x}+
303 allows special operations like having a certain access level or privilege
304 only in case the operation involves the name of the user that's requesting
306 It implies the user that requests access is bound.
309 access to the member attribute of a group, which allows one to add/delete
310 its own DN from the member list of a group, without affecting other members.
314 access model relies on an incremental interpretation of the access
316 The possible levels are
324 Each access level implies all the preceding ones, thus
326 access will imply all accesses.
331 access means that one is allowed access to an attribute to perform
332 authentication/authorization operations (e.g.
334 with no other access.
335 This is useful to grant unauthenticated users the least possible
336 access level to critical resources, like passwords.
340 access model relies on the explicit setting of access privileges
344 sign resets previously defined accesses; as a consequence, the final
345 access privileges will be only those defined by the clause.
350 signs add/remove access privileges to the existing ones.
362 More than one privilege can be added in one statement.
366 controls the flow of access rule application.
367 It can have the forms
377 the default, means access checking stops in case of match.
378 The other two forms are used to keep on processing access clauses.
381 form allows for other
385 clause to be considered, so that they may result in incrementally altering
386 the privileges, while the
388 form allows for other
390 clauses that match the same target to be processed.
391 Consider the (silly) example
394 access to dn.subtree="dc=example,dc=com" attrs=cn
397 access to dn.subtree="ou=People,dc=example,dc=com"
401 which allows search and compare privileges to everybody under
402 the "dc=example,dc=com" tree, with the second rule allowing
403 also read in the "ou=People" subtree,
404 or the (even more silly) example
407 access to dn.subtree="dc=example,dc=com" attrs=cn
412 which grants everybody search and compare privileges, and adds read
413 privileges to authenticated users.
417 default slapd configuration file
421 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
424 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
426 is derived from University of Michigan LDAP 3.3 Release.