From: Gavin Henry Date: Wed, 19 Mar 2008 16:10:50 +0000 (+0000) Subject: Access control section now includes all relevant FAQ items and is completed as far... X-Git-Tag: OPENLDAP_REL_ENG_2_4_9~20^2~77 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=20e24e15171d86ffc41ac0f8a7beea2a5bf83fcc;p=openldap Access control section now includes all relevant FAQ items and is completed as far as content. Just need to verify http://www.openldap.org/faq/data/cache/1005.html is up to date for 2.4 etc. and the rest of the section. --- diff --git a/doc/guide/admin/access-control.sdf b/doc/guide/admin/access-control.sdf index a1b312586f..a60a341052 100644 --- a/doc/guide/admin/access-control.sdf +++ b/doc/guide/admin/access-control.sdf @@ -4,39 +4,59 @@ H1: Access Control +H2: Introduction + +As the directory gets populated with more and more data of varying sensitivity, +controlling the kinds of access granted to the directory becomes more and more +critical. For instance, the directory may contain data of a confidential nature +that you may need to protect by contract or by law. Or, if using the directory +to control access to other services, inappropriate access to the directory may +create avenues of attack to your sites security that result in devastating +damage to your assets. + Access to your directory can be configured via two methods, the first using {{SECT:The slapd Configuration File}} and the second using the {{slapd-config}}(5) format ({{SECT:Configuring slapd}}). +The default access control policy is allow read by all clients. Regardless of +what access control policy is defined, the {{rootdn}} is always allowed full +rights (i.e. auth, search, compare, read and write) on everything and anything. + +As a consequence, it's useless (and results in a performance penalty) to explicitly +list the {{rootdn}} among the {{}} clauses. + +The following sections will describe Access Control Lists in more details and +follow with some examples and recommendations. + H2: Access Control via Static Configuration Access to entries and attributes is controlled by the access configuration file directive. The general form of an access line is: -> ::= access to -> [by [] [] ]+ -> ::= * | -> [dn[.]= | dn.=] -> [filter=] [attrs=] -> ::= regex | exact -> ::= base | one | subtree | children -> ::= [val[.]=] | , -> ::= | entry | children -> ::= * | [anonymous | users | self -> | dn[.]= | dn.=] -> [dnattr=] -> [group[/[/][.]]=] -> [peername[.]=] -> [sockname[.]=] -> [domain[.]=] -> [sockurl[.]=] -> [set=] -> [aci=] -> ::= [self]{|} -> ::= none | disclose | auth | compare | search | read | write | manage -> ::= {=|+|-}{m|w|r|s|c|x|d|0}+ -> ::= [stop | continue | break] +> ::= access to +> [by [] [] ]+ +> ::= * | +> [dn[.]= | dn.=] +> [filter=] [attrs=] +> ::= regex | exact +> ::= base | one | subtree | children +> ::= [val[.]=] | , +> ::= | entry | children +> ::= * | [anonymous | users | self +> | dn[.]= | dn.=] +> [dnattr=] +> [group[/[/][.]]=] +> [peername[.]=] +> [sockname[.]=] +> [domain[.]=] +> [sockurl[.]=] +> [set=] +> [aci=] +> ::= [self]{|} +> ::= none | disclose | auth | compare | search | read | write | manage +> ::= {=|+|-}{m|w|r|s|c|x|d|0}+ +> ::= [stop | continue | break] where the part selects the entries and/or attributes to which the access applies, the {{EX:}} part specifies which entities @@ -55,9 +75,9 @@ and attributes to which the access control applies. Entries are commonly selected in two ways: by DN and by filter. The following qualifiers select entries by DN: -> to * -> to dn[.]= -> to dn.= +> to * +> to dn[.]= +> to dn.= The first form is used to select all entries. The second form may be used to select entries by matching a regular expression against @@ -76,12 +96,12 @@ under the DN (but not the entry named by the DN). For example, if the directory contained entries named: -> 0: o=suffix -> 1: cn=Manager,o=suffix -> 2: ou=people,o=suffix -> 3: uid=kdz,ou=people,o=suffix -> 4: cn=addresses,uid=kdz,ou=people,o=suffix -> 5: uid=hyc,ou=people,o=suffix +> 0: o=suffix +> 1: cn=Manager,o=suffix +> 2: ou=people,o=suffix +> 3: uid=kdz,ou=people,o=suffix +> 4: cn=addresses,uid=kdz,ou=people,o=suffix +> 5: uid=hyc,ou=people,o=suffix \Then: . {{EX:dn.base="ou=people,o=suffix"}} match 2; @@ -92,27 +112,27 @@ For example, if the directory contained entries named: Entries may also be selected using a filter: -> to filter= +> to filter= where is a string representation of an LDAP search filter, as described in {{REF:RFC4515}}. For example: -> to filter=(objectClass=person) +> to filter=(objectClass=person) Note that entries may be selected by both DN and filter by including both qualifiers in the clause. -> to dn.one="ou=people,o=suffix" filter=(objectClass=person) +> to dn.one="ou=people,o=suffix" filter=(objectClass=person) Attributes within an entry are selected by including a comma-separated list of attribute names in the selector: -> attrs= +> attrs= A specific value of an attribute is selected by using a single attribute name and also using a value selector: -> attrs= val[.