From: Gavin Henry Date: Fri, 14 Mar 2008 22:53:34 +0000 (+0000) Subject: New Access Control Section, including a new Sets section incorporating ITS#5278,... X-Git-Tag: OPENLDAP_REL_ENG_2_4_9~20^2~88 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=43a8dc824fbdf63285b90251de16d4857a61d54d;p=openldap New Access Control Section, including a new Sets section incorporating ITS#5278, ITS#5279 and ITS#5281. --- diff --git a/doc/guide/admin/Makefile b/doc/guide/admin/Makefile index f71513c919..dfd373d0a9 100644 --- a/doc/guide/admin/Makefile +++ b/doc/guide/admin/Makefile @@ -21,6 +21,7 @@ sdf-src: \ ../plain.sdf \ ../preamble.sdf \ abstract.sdf \ + access-control.sdf \ appendix-changes.sdf \ appendix-common-errors.sdf \ appendix-configs.sdf \ @@ -65,7 +66,10 @@ sdf-img: \ dual_dc.png \ intro_dctree.png \ intro_tree.png \ - refint.png + refint.png \ + set-following-references.png \ + set-memberUid.png \ + set-recursivegroup.png guide.html: guide.sdf sdf-src sdf-img sdf -2html guide.sdf diff --git a/doc/guide/admin/access-control.sdf b/doc/guide/admin/access-control.sdf new file mode 100644 index 0000000000..5132ba0dbe --- /dev/null +++ b/doc/guide/admin/access-control.sdf @@ -0,0 +1,1136 @@ +# $OpenLDAP$ +# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved. +# COPYING RESTRICTIONS APPLY, see COPYRIGHT. + +H1: Access Control + +Access to your directory can be configured via two methods, the first using +{{SECT:The slapd Configuration File}} and the second using the {{slapd-config}}(5) +format ({{SECT:Configuring slapd}}). + +H2: Static Access Control Configuration + +Access to entries and attributes is controlled by the +access configuration file directive. The general form of an +access line is: + +> ::= access to +> [by [] [] ]+ +> ::= * | +> [dn[.]= | dn.=] +> [filter=] [attrs=] +> ::= regex | exact +> ::= base | one | subtree | children +> ::= [val[.]=] | , +> ::= | entry | children +> ::= * | [anonymous | users | self +> | dn[.]= | dn.=] +> [dnattr=] +> [group[/[/][.]]=] +> [peername[.]=] +> [sockname[.]=] +> [domain[.]=] +> [sockurl[.]=] +> [set=] +> [aci=] +> ::= [self]{|} +> ::= none | disclose | auth | compare | search | read | write | manage +> ::= {=|+|-}{m|w|r|s|c|x|d|0}+ +> ::= [stop | continue | break] + +where the part selects the entries and/or attributes to which +the access applies, the {{EX:}} part specifies which entities +are granted access, and the {{EX:}} part specifies the +access granted. Multiple {{EX: }} triplets +are supported, allowing many entities to be granted different access +to the same set of entries and attributes. Not all of these access +control options are described here; for more details see the +{{slapd.access}}(5) man page. + + +H3: What to control access to + +The part of an access specification determines the entries +and attributes to which the access control applies. Entries are +commonly selected in two ways: by DN and by filter. The following +qualifiers select entries by DN: + +> to * +> to dn[.]= +> to dn.= + +The first form is used to select all entries. The second form may +be used to select entries by matching a regular expression against +the target entry's {{normalized DN}}. (The second form is not +discussed further in this document.) The third form is used to +select entries which are within the requested scope of DN. The + is a string representation of the Distinguished Name, as +described in {{REF:RFC4514}}. + +The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}}, +or {{EX:children}}. Where {{EX:base}} matches only the entry with +provided DN, {{EX:one}} matches the entries whose parent is the +provided DN, {{EX:subtree}} matches all entries in the subtree whose +root is the provided DN, and {{EX:children}} matches all entries +under the DN (but not the entry named by the DN). + +For example, if the directory contained entries named: + +> 0: o=suffix +> 1: cn=Manager,o=suffix +> 2: ou=people,o=suffix +> 3: uid=kdz,ou=people,o=suffix +> 4: cn=addresses,uid=kdz,ou=people,o=suffix +> 5: uid=hyc,ou=people,o=suffix + +\Then: +. {{EX:dn.base="ou=people,o=suffix"}} match 2; +. {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5; +. {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and +. {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5. + + +Entries may also be selected using a filter: + +> to filter= + +where is a string representation of an LDAP +search filter, as described in {{REF:RFC4515}}. For example: + +> to filter=(objectClass=person) + +Note that entries may be selected by both DN and filter by +including both qualifiers in the clause. + +> to dn.one="ou=people,o=suffix" filter=(objectClass=person) + +Attributes within an entry are selected by including a comma-separated +list of attribute names in the selector: + +> attrs= + +A specific value of an attribute is selected by using a single +attribute name and also using a value selector: + +> attrs= val[.