daemon. This configuration file is also used by the
.BR slurpd (8)
replication daemon and by the SLAPD tools
+.BR slapacl (8),
.BR slapadd (8),
+.BR slapauth (8),
.BR slapcat (8),
+.BR slapdn (8),
+.BR slapindex (8),
and
-.BR slapindex (8).
+.BR slaptest (8).
.LP
The
.B slapd.conf
dn[.<dnstyle>[,<modifier>]]=<DN>
dnattr=<attrname>
group[/<objectclass>[/<attrname>]]
- [.<style>]=<group>
+ [.<groupstyle>]=<group>
peername[.<peernamestyle>]=<peername>
sockname[.<style>]=<sockname>
domain[.<domainstyle>[,<modifier>]]=<domain>
sockurl[.<style>]=<sockurl>
- set[.<style>]=<pattern>
+ set[.<s
etstyle>]=<pattern>
ssf=<n>
transport_ssf=<n>
.LP
.nf
<dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
- <style>={exact|regex}
- <peernamestyle>={exact|regex|ip|path}
+ <groupstyle>={exact|expand}
+ <style>={exact|regex|expand}
+ <peernamestyle>={<style>|ip|path}
<domainstyle>={exact|regex|sub(tree)}
+ <setstyle>={exact|regex}
<modifier>={expand}
.fi
.LP
with
.B digit
ranging from 1 to 9.
+Since the dollar character is used to indicate a substring replacement,
+the dollar character that is used to indicate match up to the end of
+the string must be escaped by a second dollar character, e.g.
+.LP
+.nf
+ access to dn.regex="^(.+,)?uid=([^,]+),dc=[^,]+,dc=com$"
+ by dn.regex="^uid=$2,dc=[^,]+,dc=com$$" write
+.fi
+.LP
The style qualifier
allows an optional
.BR modifier .
.B dnstyle
is not
.BR regex .
+Note that the
+.I regex
+dnstyle in the above example may be of use only if the
+.B by
+clause needs to be a regex; otherwise, if the
+value of the second (from the right)
+.I dc=
+portion of the DN in the above example were fixed, the form
+.LP
+.nf
+ access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$"
+ by dn.exact,expand="uid=$2,dc=example,dc=com" write
+.fi
+.LP
+could be used; if it had to match the value in the
+.B what
+clause, the form
+.LP
+.nf
+ access to dn.regex="^(.+,)?uid=([^,]+),dc=([^,]+),dc=com$"
+ by dn.exact,expand="uid=$2,dc=$3,dc=com" write
+.fi
+.LP
+could be used.
+.LP
It is perfectly useless to give any access privileges to a DN
that exactly matches the
.B rootdn
of the database the ACLs apply to, because it implicitly
possesses write privileges for the entire tree of that database.
+Actually, access control is bypassed for the
+.BR rootdn ,
+to solve the intrinsic chicken-and-egg problem.
.LP
The statement
.B dnattr=<attrname>
The optional style qualifier
.B <style>
can be
-.BR regex ,
+.BR expand ,
which means that
.B <group>
will be expanded as a replacement string (but not as a regular expression)
according to regex (7), and
-.B base
-or
-.B exact
-(an alias of
-.BR base ),
+.BR exact ,
which means that exact match will be used.
.LP
For static groups, the specified attributeType must have
.B labeledURI
attributeType. Only LDAP URIs of the form
.B ldap:///<base>??<scope>?<filter>
-will be evaluated in a dynamic group.
+will be evaluated in a dynamic group, by searching the local server only.
.LP
The statements
.BR peername=<peername> ,
.B style
rules for pattern match described for the
.B group
-case apply.
+case apply, plus the
+.B regex
+style, which implies submatch
+.B expand
+and
+.BR regex (7)
+match of the corresponding connection parameters.
The
.B exact
style of the
exactly matches the
.BR domain
pattern.
+The
+.B expand
+style is allowed, implying an
+.B exact
+match with submatch expansion; the use of
+.B expand
+as a style modifier is considered more appropriate.
As an example,
.B domain.subtree=example.com
will match www.example.com, but will not match www.anotherexample.com.
.B ref
attribute).
.LP
-Some
+Some internal operations and some
.B controls
require specific access privileges.
The
+.B authzID
+mapping and the
.B proxyAuthz
-control requires
+control require
.B auth (=x)
privileges on all the attributes that are present in the search filter
of the URI regexp maps (the right-hand side of the
-.B sasl-regexp
+.B authz-regexp
directives).
-It also requires
-.B auth (=x)
-privileges on the
-.B saslAuthzTo
+.B Auth (=x)
+privileges are also required on the
+.B authzTo
attribute of the authorizing identity and/or on the
-.B saslAuthzFrom
+.B authzFrom
attribute of the authorized identity.
.SH CAVEATS
It is strongly recommended to explicitly use the most appropriate
-.BR <dnstyle> ,
-to avoid possible incorrect specifications of the access rules as well
-as for performance (avoid unrequired regex matching when an exact
+.B <dnstyle>
+in
+.B <what>
+and
+.B <who>
+clauses, to avoid possible incorrect specifications of the access rules
+as well as for performance (avoid unrequired regex matching when an exact
match suffices) reasons.
.LP
An administrator might create a rule of the form:
written:
.LP
.nf
- access to dn.regex="^(.+,)?dc=example,dc=com$$"
+ access to dn.regex="^(.+,)?dc=example,dc=com$"
by ...
.fi
.LP
clause, one could use
.LP
.nf
- access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$$"
+ access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$"
by dn.regex="^uid=$1,dc=example,dc=com$$" write
by ...
.fi
.LP
However, since all that is required in the
-.B to
+.B by
clause is substring expansion, a more efficient solution is
.LP
.nf
- access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$$"
+ access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$"
by dn.exact,expand="uid=$1,dc=example,dc=com" write
by ...
.fi
default slapd configuration file
.SH SEE ALSO
.BR slapd (8),
+.BR slapacl (8),
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
projects / openldap / blobdiff