.TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
.B exact
(an alias of
.BR base )
-indicates the entry whose DN is equal to the pattern.
+indicates the entry whose DN is equal to the pattern;
.B one
+(synonym of
+.BR onelevel )
indicates all the entries immediately below the
.BR pattern ,
-.B subtree
+.B sub
+(synonym of
+.BR subtree )
indicates all entries in the subtree at the pattern,
.B children
indicates all the entries below (subordinate to) the pattern.
dn[.<dnstyle>[,<modifier>]]=<DN>
dnattr=<attrname>
group[/<objectclass>[/<attrname>]]
- [.<style>]=<group>
- peername[.<style>]=<peername>
+ [.<groupstyle>]=<group>
+ peername[.<peernamestyle>]=<peername>
sockname[.<style>]=<sockname>
domain[.<domainstyle>[,<modifier>]]=<domain>
sockurl[.<style>]=<sockurl>
- set[.<style>]=<pattern>
+ set[.<setstyle>]=<pattern>
ssf=<n>
transport_ssf=<n>
aci=<attrname>
.fi
.LP
+with
+.LP
+.nf
+ <dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
+ <groupstyle>={exact|expand}
+ <style>={exact|regex|expand}
+ <peernamestyle>={<style>|ip|path}
+ <domainstyle>={exact|regex|sub(tree)}
+ <setstyle>={exact|regex}
+ <modifier>={expand}
+.fi
+.LP
They may be specified in combination.
.LP
.nf
.B dnstyle
is not
.BR regex .
+It is perfectly useless to give any access privileges to a DN
+that exactly matches the
+.B rootdn
+of the database the ACLs apply to, because it implicitly
+possesses write privileges for the entire tree of that database.
.LP
The statement
.B dnattr=<attrname>
The optional style qualifier
.B <style>
can be
-.BR regex ,
+.BR expand ,
which means that
.B <group>
will be expanded as a replacement string (but not as a regular expression)
according to regex (7), and
-.B base
-or
-.B exact
-(an alias of
-.BR base ),
+.BR exact ,
which means that exact match will be used.
.LP
For static groups, the specified attributeType must have
.B labeledURI
attributeType. Only LDAP URIs of the form
.B ldap:///<base>??<scope>?<filter>
-will be evaluated in a dynamic group.
+will be evaluated in a dynamic group, by searching the local server only.
.LP
The statements
.BR peername=<peername> ,
.BR domain=<domain> ,
and
.BR sockurl=<sockurl>
-mean that the contacting host IP for
+mean that the contacting host IP (in the form
+.BR "IP=<ip>:<port>" )
+or the contacting host named pipe file name (in the form
+.B "PATH=<path>"
+if connecting through a named pipe) for
.BR peername ,
the named pipe file name for
.BR sockname ,
.B style
rules for pattern match described for the
.B group
-case apply.
+case apply, plus the
+.B regex
+style, which implies submatch
+.B expand
+and
+.BR regex (7)
+match of the corresponding connection parameters.
+The
+.B exact
+style of the
+.BR peername
+clause (the default) implies a case-exact match on the client's
+.BR IP ,
+including the
+.B "IP="
+prefix and the trailing
+.BR ":<port>" ,
+or the client's
+.BR path ,
+including the
+.B "PATH="
+prefix if connecting through a named pipe.
+The special
+.B ip
+style interprets the pattern as
+.BR <peername>=<ip>[%<mask>][{<n>}] ,
+where
+.B <ip>
+and
+.B <mask>
+are dotted digit representations of the IP and the mask, while
+.BR <n> ,
+delimited by curly brackets, is an optional port.
+When checking access privileges, the IP portion of the
+.BR peername
+is extracted, eliminating the
+.B "IP="
+prefix and the
+.B ":<port>"
+part, and it is compared against the
+.B <ip>
+portion of the pattern after masking with
+.BR <mask> .
+As an example,
+.B peername.ip=127.0.0.1
+alows connections only from localhost,
+.B peername.ip=192.168.1.0%255.255.255.0
+allows connections from any IP in the 192.168.1 class C domain, and
+.B peername.ip=192.168.1.16%255.255.255.240{9009}
+allows connections from any IP in the 192.168.1.[16-31] range
+of the same domain, only if port 9009 is used.
+The special
+.B path
+style eliminates the
+.B "PATH="
+prefix from the
+.B peername
+when connecting through a named pipe, and performs an exact match
+on the given pattern.
The
.BR domain
clause also allows the
exactly matches the
.BR domain
pattern.
+The
+.B expand
+style is allowed, implying an
+.B exact
+match with submatch expansion; the use of
+.B expand
+as a style modifier is considered more appropriate.
+As an example,
+.B domain.subtree=example.com
+will match www.example.com, but will not match www.anotherexample.com.
The
.B domain
of the contacting host is determined by performing a DNS reverse lookup.
.LP
.nf
<level> ::= none|auth|compare|search|read|write
- <priv> ::= {=|+|-}{w|r|s|c|x}+
+ <priv> ::= {=|+|-}{w|r|s|c|x|0}+
.fi
.LP
The modifier
for compare, and
.B x
for authentication.
-More than one privilege can be added in one statement.
+More than one of the above privileges can be added in one statement.
+.B 0
+indicates no privileges and is used only by itself (e.g., +0).
.LP
The optional field
.B <control>
as for performance (avoid unrequired regex matching when an exact
match suffices) reasons.
.LP
-An adminisistrator might create a rule of the form:
+An administrator might create a rule of the form:
.LP
.nf
access to dn.regex="dc=example,dc=com"