.TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2005 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
.nf
[dn[.<dnstyle>]=]<dnpattern>
filter=<ldapfilter>
- attrs=<attrlist>[ val[.<attrstyle>]=<attrval>]
+ attrs=<attrlist>[ val[/matchingRule][.<attrstyle>]=<attrval>]
.fi
.LP
with
is implied, i.e. all attributes are addressed.
.LP
Using the form
-.B attrs=<attr> val[.<style>]=<attrval>
+.B attrs=<attr> val[/matchingRule][.<attrstyle>]=<attrval>
specifies access to a particular value of a single attribute.
-In this case, only a single attribute type may be given. A value
-.B <style>
-of
+In this case, only a single attribute type may be given. The
+.B <attrstyle>
.B exact
(the default) uses the attribute's equality matching rule to compare the
-value. If the value
-.B <style>
+value, unless a different (and compatible) matching rule is specified. If the
+.B <attrstyle>
is
.BR regex ,
the provided value is used as a POSIX (''extended'') regular
-expression pattern. If the attribute has DN syntax, the value
-.B <style>
+expression pattern. If the attribute has DN syntax, the
+.B <attrstyle>
can be any of
.BR base ,
.BR onelevel ,
*
anonymous
users
- self
+ self[.<selfstyle>]
dn[.<dnstyle>[,<modifier>]]=<DN>
dnattr=<attrname>
+
+ realanonymous
+ realusers
+ realself[.<selfstyle>]
+
+ realdn[.<dnstyle>[,<modifier>]]=<DN>
+ realdnattr=<attrname>
+
group[/<objectclass>[/<attrname>]]
[.<groupstyle>]=<group>
peername[.<peernamestyle>]=<peername>
tls_ssf=<n>
sasl_ssf=<n>
- aci=<attrname>
+ dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]
.fi
.LP
with
.LP
.nf
<style>={exact|regex|expand}
+ <selfstyle>={level{<n>}}
<dnstyle>={{exact|base(object)}|regex
- |one(level)|sub(tree)|children}
+ |one(level)|sub(tree)|children|level{<n>}}
<groupstyle>={exact|expand}
<peernamestyle>={<style>|ip|path}
<domainstyle>={exact|regex|sub(tree)}
<setstyle>={exact|regex}
<modifier>={expand}
+ <name>=aci <pattern>=<attrname>]
.fi
.LP
They may be specified in combination.
.B *
refers to everybody.
.LP
+The keywords prefixed by
+.B real
+act as their counterparts without prefix; the checking respectively occurs
+with the \fIauthentication\fP DN and the \fIauthorization\fP DN.
+.LP
The keyword
.B anonymous
means access is granted to unauthenticated clients; it is mostly used
.B self
means access to an entry is allowed to the entry itself (e.g. the entry
being accessed and the requesting entry must be the same).
+It allows the
+.B level{<n>}
+style, where \fI<n>\fP indicates what ancestor of the DN
+is to be used in matches.
+A positive value indicates that the <n>-th ancestor of the user's DN
+is to be considered; a negative value indicates that the <n>-th ancestor
+of the target is to be considered.
+For example, a "\fIby self.level{1} ...\fP" clause would match
+when the object "\fIdc=example,dc=com\fP" is accessed
+by "\fIcn=User,dc=example,dc=com\fP".
+A "\fIby self.level{-1} ...\fP" clause would match when the same user
+accesses the object "\fIou=Address Book,cn=User,dc=example,dc=com\fP".
.LP
The statement
.B dn=<DN>
the
.BR one(level) ,
and the
-.B children
+.BR children
forms provide
.B $0
as the match of the entire string.
the
.BR one(level) ,
and the
-.B children
+.BR children
forms also provide
.B $1
as the match of the rightmost part of the DN as defined in the
.B <by>
clause is allowed.
.LP
+The
+.BR level{<n>}
+form is an extension and a generalization of the
+.BR onelevel
+form, which matches all DNs whose <n>-th ancestor is the pattern.
+So, \fIlevel{1}\fP is equivalent to \fIonelevel\fP,
+and \fIlevel{0}\fP is equivalent to \fIbase\fP.
+.LP
It is perfectly useless to give any access privileges to a DN
that exactly matches the
.B rootdn
and
.B <attrname>
define the objectClass and the member attributeType of the group entry.
+The defaults are
+.B groupOfNames
+and
+.BR member ,
+respectively.
The optional style qualifier
.B <style>
can be
is undocumented yet.
.LP
The statement
-.B aci=<attrname>
+.B dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]
+means that access checking is delegated to the admin-defined method
+indicated by
+.BR <name> ,
+which can be registered at run-time by means of the
+.B moduleload
+statement.
+The fields
+.BR <options> ,
+.B <dynstyle>
+and
+.B <pattern>
+are optional, and are directly passed to the registered parsing routine.
+Dynacl is experimental; it must be enabled at compile time.
+.LP
+The statement
+.B dynacl/aci[=<attrname>]
means that the access control is determined by the values in the
.B attrname
of the entry itself.
+The optional
+.B <attrname>
+indicates what attributeType holds the ACI information in the entry.
+By default, the
+.B OpenLDAPaci
+operational attribute is used.
ACIs are experimental; they must be enabled at compile time.
.LP
The statements
to grant access. The value should be positive integer.
.SH THE <ACCESS> FIELD
The field
-.B <access> ::= [self]{<level>|<priv>}
+.B <access> ::= [[real]self]{<level>|<priv>}
determines the access level or the specific access privileges the
.B who
field will have.
Its component are defined as
.LP
.nf
- <level> ::= none|auth|compare|search|read|write
- <priv> ::= {=|+|-}{w|r|s|c|x|0}+
+ <level> ::= none|disclose|auth|compare|search|read|write
+ <priv> ::= {=|+|-}{w|r|s|c|x|d|0}+
.fi
.LP
The modifier
allows special operations like having a certain access level or privilege
only in case the operation involves the name of the user that's requesting
the access.
-It implies the user that requests access is bound.
+It implies the user that requests access is authorized.
+The modifier
+.B realself
+refers to the authenticated DN as opposed to the authorized DN of the
+.B self
+modifier.
An example is the
.B selfwrite
access to the member attribute of a group, which allows one to add/delete
privileges.
The possible levels are
.BR none ,
+.BR disclose ,
.BR auth ,
.BR compare ,
.BR search ,
Each access level implies all the preceding ones, thus
.B write
access will imply all accesses.
-While
-.B none
-is trivial,
+.LP
+The
+.B none
+access level disallows all access including disclosure on error.
+.LP
+The
+.B disclose
+access level allows disclosure of information on error.
+.LP
+The
.B auth
-access means that one is allowed access to an attribute to perform
+access level means that one is allowed access to an attribute to perform
authentication/authorization operations (e.g.
.BR bind )
with no other access.
.B s
for search,
.B c
-for compare, and
+for compare,
.B x
-for authentication.
+for authentication, and
+.B d
+for disclose.
More than one of the above privileges can be added in one statement.
.B 0
indicates no privileges and is used only by itself (e.g., +0).
.LP
which grants everybody search and compare privileges, and adds read
privileges to authenticated clients.
+.LP
+One useful application is to easily grant write privileges to an
+.B updatedn
+that is different from the
+.BR rootdn .
+In this case, since the
+.B updatedn
+needs write access to (almost) all data, one can use
+.LP
+.nf
+ access to *
+ by dn.exact="cn=The Update DN,dc=example,dc=com" write
+ by * break
+.fi
+.LP
+as the first access rule.
+As a consequence, unless the operation is performed with the
+.B updatedn
+identity, control is passed straight to the subsequent rules.
.SH OPERATION REQUIREMENTS
Operations require different privileges on different portions of entries.
The following summary applies to primary database backends such as
-the LDBM, BDB, and HDB backends. Requirements for other backends may
+the BDB and HDB backends. Requirements for other backends may
(and often do) differ.
.LP
The
.B modify
operation requires
.B write (=w)
-privileges on the attibutes being modified.
+privileges on the attributes being modified.
.LP
The
.B modrdn
.LP
The
.B search
-operation, for each entry, requires
+operation, requires
+.B search (=s)
+privileges on the
+.B entry
+pseudo-attribute of the searchBase (NOTE: this was introduced with 2.3).
+Then, for each entry, it requires
.B search (=s)
privileges on the attributes that are defined in the filter.
-Then, the resulting entries are tested for
+The resulting entries are finally tested for
.B read (=r)
privileges on the pseudo-attribute
.B entry
attribute of the authorizing identity and/or on the
.B authzFrom
attribute of the authorized identity.
+
+.LP
+Access control to search entries is checked by the frontend,
+so it is fully honored by all backends; for all other operations
+and for the discovery phase of the search operation,
+full ACL semantics is only supported by the primary backends, i.e.
+.BR back-bdb (5),
+and
+.BR back-hdb (5).
+
+Some other backend, like
+.BR back-sql (5),
+may fully support them; others may only support a portion of the
+described semantics, or even differ in some aspects.
+The relevant details are described in the backend-specific man pages.
+
.SH CAVEATS
It is strongly recommended to explicitly use the most appropriate
.B <dnstyle>
and
.B <who>
clauses, to avoid possible incorrect specifications of the access rules
-as well as for performance (avoid unrequired regex matching when an exact
+as well as for performance (avoid unnecessary regex matching when an exact
match suffices) reasons.
.LP
An administrator might create a rule of the form:
default slapd configuration file
.SH SEE ALSO
.BR slapd (8),
+.BR slapd-* (5),
.BR slapacl (8),
.BR regex (7),
.BR re_format (7)