.TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
.SH NAME
slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
.SH SYNOPSIS
part, and it is compared against the
.B <ip>
portion of the pattern after masking with
-.BR <mask> .
+.BR <mask> :
+\fI((peername & <mask>) == <ip>)\fP.
As an example,
.B peername.ip=127.0.0.1
and
Its component are defined as
.LP
.nf
- <level> ::= none|disclose|auth|compare|search|read|write|manage
- <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
+ <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
+ <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
.fi
.LP
The modifier
.BR compare ,
.BR search ,
.BR read ,
+.BR write ,
and
-.BR write .
+.BR manage .
Each access level implies all the preceding ones, thus
.B manage
-grants all access including administrative access,
+grants all access including administrative access.
+The
+.BR write
+access is actually the combination of
+.BR add
+and
+.BR delete ,
+which respectively restrict the write privilege to add or delete
+the specified
+.BR <what> .
+
.LP
The
.B none
for manage,
.B w
for write,
+.B a
+for add,
+.B z
+for delete,
.B r
for read,
.B s
More than one of the above privileges can be added in one statement.
.B 0
indicates no privileges and is used only by itself (e.g., +0).
+Note that
+.B +az
+is equivalent to
+.BR +w .
.LP
If no access is given, it defaults to
.BR +0 .
The
.B add
operation requires
-.B write (=w)
+.B add (=a)
privileges on the pseudo-attribute
.B entry
of the entry being added, and
-.B write (=w)
+.B add (=a)
privileges on the pseudo-attribute
.B children
of the entry's parent.
-When adding the suffix entry of a database, write access to
+When adding the suffix entry of a database,
+.B add
+access to
.B children
of the empty DN ("") is required.
The
.B delete
operation requires
-.B write (=w)
+.B delete (=z)
privileges on the pseudo-attribute
.B entry
of the entry being deleted, and
-.B write (=w)
+.B delete (=d)
privileges on the
.B children
pseudo-attribute of the entry's parent.
operation requires
.B write (=w)
privileges on the attributes being modified.
+In detail,
+.B add (=a)
+is required to add new values,
+.B delete (=z)
+is required to delete existing values,
+and both
+.B delete
+and
+.BR "add (=az)" ,
+or
+.BR "write (=w)" ,
+are required to replace existing values.
.LP
The
privileges on the pseudo-attribute
.B entry
of the entry whose relative DN is being modified,
-.B write (=w)
+.B delete (=z)
privileges on the pseudo-attribute
.B children
-of the old and new entry's parents, and
-.B write (=w)
+of the old entry's parents,
+.B add (=a)
+privileges on the pseudo-attribute
+.B children
+of the new entry's parents, and
+.B add (=a)
privileges on the attributes that are present in the new relative DN.
-.B Write (=w)
+.B Delete (=z)
privileges are also required on the attributes that are present
in the old relative DN if
.B deleteoldrdn
.B search (=s)
privileges on the
.B entry
-pseudo-attribute of the searchBase (NOTE: this was introduced with 2.3).
+pseudo-attribute of the searchBase
+(NOTE: this was introduced with OpenLDAP 2.4).
Then, for each entry, it requires
.B search (=s)
privileges on the attributes that are defined in the filter.
attribute of the authorizing identity and/or on the
.B authzFrom
attribute of the authorized identity.
+In general, when an internal lookup is performed for authentication
+or authorization purposes, search-specific privileges (see the access
+requirements for the search operation illustrated above) are relaxed to
+.BR auth .
.LP
Access control to search entries is checked by the frontend,
projects / openldap / blobdiff