Table of Contents
Abstract
At the end of this chapter, readers should have a basic understanding of the following subjects:
How to control access to the directory server.
Access control using slapd.conf directives.
Configuring ACIs for the LDAP server.
From the slapd.conf man page we get the most general description of an access control directive on a directory entry or a set of entries:
access to what [ by who type_of_access]
The default access mode is to grant read access for everybody:
access to dn="" by * read
access to *
by self write
by * write
We'll see in the next sections that there's a bit more to this.
This is done in the what part of the access directive. Entries can be specified using either a regular expression matching the entry's distinguished name, or by applying a filter of the form:
filter=ldap_filter
The ldap_filter is a string representation of an lfLDAP search filter, see the section called “Examples”.
Attributes to an entry can be selected by including a comma-separated list of names:
attrs=attribute1,attribute2,...,attributeN
Access to the entry itself is controled by the “entry” keyword. This should always be set if any attributes within an entry are targetted.
Targetting any entry is done using the * value in the “what” field. When no other selector is provided, this is used by default. It is the same as specifying "dn=.*".
The who selector can have the following values:
*: everyone
anonymous: non-authenticated users
users: authenticated users
self: the user associated with the entry
dn=regexp: those users matching the regular expression
The who directive can also be set using the “domain” directive:
domain=regexp
Another alternative is specifying access based on attributes belonging to an entry:
dnattr=attribute_name
The type_of_access directive specifies what users can do with the data. Any of the following values may occur:
none
auth
compare
search
read
write
Each permission includes all the lesser permissions, for instance giving search access is equal to giving bind (auth), compare and search permissions.
Upon receiving a request, the slapd daemon compares the user's entry and/or attributes to the difinitions in the configuration file. Configurations for the local database are examined first, then any global directives are processed.
Then, each directive is processed in the order in which it appears in the configuration file. The comparison stops at the first match.
In the second stage, the who selectors are examined, in the order in which they appear.
And last, the type of access is examined: if the configuration file holds a definition that is equal to or more than the requested permission, access is granted.
Since the order is important, more specific directives should precede more vague ones in the configuration file.
If no “access to” directive is matched, or if, after passing the first test, no match for the “who” identifier is found, access is denied by default. Think of this as every “by who type_of_access” definition being ended implicitly by an additional “by * none” line, and every “access to” entry being closed with “to * by * none”.
The slapd.conf man page contains additional examples.