.TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2005 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
.nf
[dn[.<dnstyle>]=]<dnpattern>
filter=<ldapfilter>
- attrs=<attrlist>[ val[.<attrstyle>]=<attrval>]
+ attrs=<attrlist>[ val[
/matchingRule][.<attrstyle>]=<attrval>]
.fi
.LP
with
is implied, i.e. all attributes are addressed.
.LP
Using the form
-.B attrs=<attr> val[.<attrstyle>]=<attrval>
+.B attrs=<attr> val[
/matchingRule][.<attrstyle>]=<attrval>
specifies access to a particular value of a single attribute.
In this case, only a single attribute type may be given. The
.B <attrstyle>
.B exact
(the default) uses the attribute's equality matching rule to compare the
-value. If the
+value, unless a different (and compatible) matching rule is specified. If the
.B <attrstyle>
is
.BR regex ,
tls_ssf=<n>
sasl_ssf=<n>
- aci[=<attrname>]
- dynacl/name[.<dynstyle>][=<pattern>]
+ dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]
.fi
.LP
with
<domainstyle>={exact|regex|sub(tree)}
<setstyle>={exact|regex}
<modifier>={expand}
+ <name>=aci <pattern>=<attrname>]
.fi
.LP
They may be specified in combination.
and
.B <attrname>
define the objectClass and the member attributeType of the group entry.
+The defaults are
+.B groupOfNames
+and
+.BR member ,
+respectively.
The optional style qualifier
.B <style>
can be
is undocumented yet.
.LP
The statement
-.B aci[=<attrname>]
-means that the access control is determined by the values in the
-.B attrname
-of the entry itself.
-The optional
-.B <attrname>
-indicates what attributeType holds the ACI information in the entry.
-By default, the
-.B OpenLDAPaci
-operational attribute is used.
-ACIs are experimental; they must be enabled at compile time.
-.LP
-The statement
-.B dynacl/<name>[.<dynstyle>][=<pattern>]
+.B dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]
means that access checking is delegated to the admin-defined method
indicated by
.BR <name> ,
.B moduleload
statement.
The fields
+.BR <options> ,
.B <dynstyle>
and
.B <pattern>
are optional, and are directly passed to the registered parsing routine.
Dynacl is experimental; it must be enabled at compile time.
-If dynacl and ACIs are both enabled, ACIs are cast into the dynacl scheme,
-where
-.B <name>=aci
-and, optionally,
-.BR <patten>=<attrname> .
-However, the original ACI syntax is preserved for backward compatibility.
+.LP
+The statement
+.B dynacl/aci[=<attrname>]
+means that the access control is determined by the values in the
+.B attrname
+of the entry itself.
+The optional
+.B <attrname>
+indicates what attributeType holds the ACI information in the entry.
+By default, the
+.B OpenLDAPaci
+operational attribute is used.
+ACIs are experimental; they must be enabled at compile time.
.LP
The statements
.BR ssf=<n> ,
.LP
which grants everybody search and compare privileges, and adds read
privileges to authenticated clients.
+.LP
+One useful application is to easily grant write privileges to an
+.B updatedn
+that is different from the
+.BR rootdn .
+In this case, since the
+.B updatedn
+needs write access to (almost) all data, one can use
+.LP
+.nf
+ access to *
+ by dn.exact="cn=The Update DN,dc=example,dc=com" write
+ by * break
+.fi
+.LP
+as the first access rule.
+As a consequence, unless the operation is performed with the
+.B updatedn
+identity, control is passed straight to the subsequent rules.
.SH OPERATION REQUIREMENTS
Operations require different privileges on different portions of entries.
The following summary applies to primary database backends such as
-the LDBM, BDB, and HDB backends. Requirements for other backends may
+the BDB and HDB backends. Requirements for other backends may
(and often do) differ.
.LP
The
.B modify
operation requires
.B write (=w)
-privileges on the attibutes being modified.
+privileges on the attributes being modified.
.LP
The
.B modrdn
and for the discovery phase of the search operation,
full ACL semantics is only supported by the primary backends, i.e.
.BR back-bdb (5),
-.BR back-hdb (5),
and
-.BR back-ldbm (5).
+.BR back-hdb (5).
Some other backend, like
.BR back-sql (5),
and
.B <who>
clauses, to avoid possible incorrect specifications of the access rules
-as well as for performance (avoid unrequired regex matching when an exact
+as well as for performance (avoid unnecessary regex matching when an exact
match suffices) reasons.
.LP
An administrator might create a rule of the form:
projects / openldap / blobdiff