.TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2011 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
.SH NAME
slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
.SH SYNOPSIS
If no access controls are present, the default policy
allows anyone and everyone to read anything but restricts
updates to rootdn. (e.g., "access to * by * read").
-The rootdn can always read and write EVERYTHING!
+.LP
+When dealing with an access list, because the global access list is
+effectively appended to each per-database list, if the resulting
+list is non-empty then the access list will end with an implicit
+.B access to * by * none
+directive. If there are no access directives applicable to a backend,
+then a default read is used.
+.LP
+.B Be warned: the rootdn can always read and write EVERYTHING!
.LP
For entries not held in any backend (such as a root DSE), the
-directives of the first backend (and any global directives) are
-used.
+global directives are used.
.LP
Arguments that should be replaced by actual text are shown in
brackets <>.
and/or
.BR re_format (7),
matching a normalized string representation of the entry's DN.
-The regex form of the pattern does not (yet) support UTF\-8.
+The regex form of the pattern does not (yet) support UTF-8.
.LP
The statement
.B filter=<ldapfilter>
The dn, filter, and attrs statements are additive; they can be used in sequence
to select entities the access rule applies to based on naming context,
value and attribute type simultaneously.
+Submatches resulting from
+.B regex
+matching can be dereferenced in the
+.B <who>
+field using the syntax
+.IR ${v<n>} ,
+where
+.I <n>
+is the submatch number.
+The default syntax,
+.IR $<n> ,
+is actually an alias for
+.IR ${d<n>} ,
+that corresponds to dereferencing submatches from the
+.B dnpattern
+portion of the
+.B <what>
+field.
.SH THE <WHO> FIELD
The field
.B <who>
<groupstyle>={exact|expand}
<peernamestyle>={<style>|ip|ipv6|path}
<domainstyle>={exact|regex|sub(tree)}
- <setstyle>={exact|regex}
+ <setstyle>={exact|expand}
<modifier>={expand}
<name>=aci <pattern>=<attrname>]
.fi
or the form
.BR ${<digit>+} ,
for submatches higher than 9.
+Substring substitution from attribute value can
+be done in
+using the form
+.BR ${v<digit>+} .
Since the dollar character is used to indicate a substring replacement,
the dollar character that is used to indicate match up to the end of
the string must be escaped by a second dollar character, e.g.
Its component are defined as
.LP
.nf
- <level> ::= none|disclose|auth|compare|search|read|write|manage
- <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
+ <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
+ <priv> ::= {=|+|\-}{0|d|x|c|s|r|{w|a|z}|m}+
.fi
.LP
The modifier
An example is the
.B selfwrite
access to the member attribute of a group, which allows one to add/delete
-its own DN from the member list of a group, without affecting other members.
+its own DN from the member list of a group, while being not allowed
+to affect other members.
.LP
The
.B level
.BR compare ,
.BR search ,
.BR read ,
+.BR write ,
and
-.BR write .
+.BR manage .
Each access level implies all the preceding ones, thus
.B manage
-grants all access including administrative access,
+grants all access including administrative access.
+The
+.BR write
+access is actually the combination of
+.BR add
+and
+.BR delete ,
+which respectively restrict the write privilege to add or delete
+the specified
+.BR <what> .
+
.LP
The
.B none
The
.B +
and
-.B -
+.B \-
signs add/remove access privileges to the existing ones.
The privileges are
.B m
for manage,
.B w
for write,
+.B a
+for add,
+.B z
+for delete,
.B r
for read,
.B s
More than one of the above privileges can be added in one statement.
.B 0
indicates no privileges and is used only by itself (e.g., +0).
+Note that
+.B +az
+is equivalent to
+.BR +w .
.LP
If no access is given, it defaults to
.BR +0 .
The
.B add
operation requires
-.B write (=w)
+.B add (=a)
privileges on the pseudo-attribute
.B entry
of the entry being added, and
-.B write (=w)
+.B add (=a)
privileges on the pseudo-attribute
.B children
of the entry's parent.
-When adding the suffix entry of a database, write access to
+When adding the suffix entry of a database,
+.B add
+access to
.B children
-of the empty DN ("") is required.
+of the empty DN ("") is required. Also if
+Add content ACL checking has been configured on
+the database (see the
+.BR slapd.conf (5)
+or
+.BR slapd\-config (5)
+manual page),
+.B add (=a)
+will be required on all of the attributes being added.
.LP
The
The
.B delete
operation requires
-.B write (=w)
+.B delete (=z)
privileges on the pseudo-attribute
.B entry
of the entry being deleted, and
-.B write (=w)
+.B delete (=d)
privileges on the
.B children
pseudo-attribute of the entry's parent.
operation requires
.B write (=w)
privileges on the attributes being modified.
+In detail,
+.B add (=a)
+is required to add new values,
+.B delete (=z)
+is required to delete existing values,
+and both
+.B delete
+and
+.BR "add (=az)" ,
+or
+.BR "write (=w)" ,
+are required to replace existing values.
.LP
The
privileges on the pseudo-attribute
.B entry
of the entry whose relative DN is being modified,
-.B write (=w)
+.B delete (=z)
privileges on the pseudo-attribute
.B children
-of the old and new entry's parents, and
-.B write (=w)
+of the old entry's parents,
+.B add (=a)
+privileges on the pseudo-attribute
+.B children
+of the new entry's parents, and
+.B add (=a)
privileges on the attributes that are present in the new relative DN.
-.B Write (=w)
+.B Delete (=z)
privileges are also required on the attributes that are present
in the old relative DN if
.B deleteoldrdn
.B search (=s)
privileges on the
.B entry
-pseudo-attribute of the searchBase (NOTE: this was introduced with 2.3).
+pseudo-attribute of the searchBase
+(NOTE: this was introduced with OpenLDAP 2.4).
Then, for each entry, it requires
.B search (=s)
privileges on the attributes that are defined in the filter.
attribute of the authorizing identity and/or on the
.B authzFrom
attribute of the authorized identity.
+In general, when an internal lookup is performed for authentication
+or authorization purposes, search-specific privileges (see the access
+requirements for the search operation illustrated above) are relaxed to
+.BR auth .
.LP
Access control to search entries is checked by the frontend,
so it is fully honored by all backends; for all other operations
and for the discovery phase of the search operation,
full ACL semantics is only supported by the primary backends, i.e.
-.BR back-bdb (5),
+.BR back\-bdb (5),
and
-.BR back-hdb (5).
+.BR back\-hdb (5).
Some other backend, like
-.BR back-sql (5),
+.BR back\-sql (5),
may fully support them; others may only support a portion of the
described semantics, or even differ in some aspects.
The relevant details are described in the backend-specific man pages.
default slapd configuration file
.SH SEE ALSO
.BR slapd (8),
-.BR slapd-* (5),
+.BR slapd\-* (5),
.BR slapacl (8),
.BR regex (7),
.BR re_format (7)