dn[.<dnstyle>[,<modifier>]]=<DN>
dnattr=<attrname>
+
+ realanonymous
+ realusers
+ realself[.<selfstyle>]
+
+ realdn[.<dnstyle>[,<modifier>]]=<DN>
+ realdnattr=<attrname>
+
group[/<objectclass>[/<attrname>]]
[.<groupstyle>]=<group>
peername[.<peernamestyle>]=<peername>
tls_ssf=<n>
sasl_ssf=<n>
- aci=<attrname>
+ aci[=<attrname>]
+ dynacl/name[.<dynstyle>][=<pattern>]
.fi
.LP
with
.B *
refers to everybody.
.LP
+The keywords prefixed by
+.B real
+act as their counterparts without prefix; the checking respectively occurs
+with the \fIauthentication\fP DN and the \fIauthorization\fP DN.
+.LP
The keyword
.B anonymous
means access is granted to unauthenticated clients; it is mostly used
is undocumented yet.
.LP
The statement
-.B aci=<attrname>
+.B aci[=<attrname>]
means that the access control is determined by the values in the
.B attrname
of the entry itself.
+The optional
+.B <attrname>
+indicates what attributeType holds the ACI information in the entry.
+By default, the
+.B OpenLDAPaci
+operational attribute is used.
ACIs are experimental; they must be enabled at compile time.
.LP
+The statement
+.B dynacl/<name>[.<dynstyle>][=<pattern>]
+means that access checking is delegated to the admin-defined method
+indicated by
+.BR <name> ,
+which can be registered at run-time by means of the
+.B moduleload
+statement.
+The fields
+.B <dynstyle>
+and
+.B <pattern>
+are optional, and are directly passed to the registered parsing routine.
+Dynacl is experimental; it must be enabled at compile time.
+If dynacl and ACIs are both enabled, ACIs are cast into the dynacl scheme,
+where
+.B <name>=aci
+and, optionally,
+.BR <patten>=<attrname> .
+However, the original ACI syntax is preserved for backward compatibility.
+.LP
The statements
.BR ssf=<n> ,
.BR transport_ssf=<n> ,
to grant access. The value should be positive integer.
.SH THE <ACCESS> FIELD
The field
-.B <access> ::= [self]{<level>|<priv>}
+.B <access> ::= [
[real]self]{<level>|<priv>}
determines the access level or the specific access privileges the
.B who
field will have.
allows special operations like having a certain access level or privilege
only in case the operation involves the name of the user that's requesting
the access.
-It implies the user that requests access is bound.
+It implies the user that requests access is authorized.
+The modifier
+.B realself
+refers to the authenticated DN as opposed to the authorized DN of the
+.B self
+modifier.
An example is the
.B selfwrite
access to the member attribute of a group, which allows one to add/delete
.LP
The
.B disclose
-access level allows disclorure of information on error.
+access level allows disclosure of information on error.
.LP
The
.B auth
"<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
"<attr> ::= <attrname> | entry | children\n",
"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
+ "\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
"\t[dnattr=<attrname>]\n"
+ "\t[realdnattr=<attrname>]\n"
"\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
"\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
"\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
#ifdef SLAPD_ACI_ENABLED
- "\t[aci=<attrname>]\n"
+ "\t[aci=[<attrname>]]\n"
#endif
+#ifdef SLAP_DYNACL
+ "\t[dynacl/<name>[.<dynstyle>][=<pattern>]]\n"
+#endif /* SLAP_DYNACL */
"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
"<style> ::= exact | regex | base(Object)\n"
"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
"sub(tree) | children\n"
"<peernamestyle> ::= exact | regex | ip | path\n"
"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
- "<access> ::= [self]{<level>|<priv>}\n"
+ "<access> ::= [
[real]self]{<level>|<priv>}\n"
"<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
"<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
"<control> ::= [ stop | continue | break ]\n"
projects / openldap / commitdiff