Chapter 4. Access Control

Table of Contents

OpenLDAP global access control
Syntax
Controling access to entries
Controling who accesses an entry
Controling privileges
Procedures
iPlanet/SunONE ACIs
What are ACIs?
ACI syntax
Procedures
Targets
Permissions
Bind rules
Summary
Exercises

Abstract

At the end of this chapter, readers should have a basic understanding of the following subjects:

  • How to control access to the directory server.

  • Access control using slapd.conf directives.

  • Configuring ACIs for the LDAP server.

OpenLDAP global access control

Syntax

From the slapd.conf man page we get the most general description of an access control directive on a directory entry or a set of entries:

access to what [ by who type_of_access]

The default access mode is to grant read access for everybody:

access to dn="" by * read
access to *
        by self write
        by * write

We'll see in the next sections that there's a bit more to this.

Controling access to entries

This is done in the what part of the access directive. Entries can be specified using either a regular expression matching the entry's distinguished name, or by applying a filter of the form:

filter=ldap_filter

The ldap_filter is a string representation of an lfLDAP search filter, see the section called “Examples”.

Attributes to an entry can be selected by including a comma-separated list of names:

attrs=attribute1,attribute2,...,attributeN

Access to the entry itself is controled by the “entry” keyword. This should always be set if any attributes within an entry are targetted.

Targetting any entry is done using the * value in the “what” field. When no other selector is provided, this is used by default. It is the same as specifying "dn=.*".

Controling who accesses an entry

The who selector can have the following values:

  • *: everyone

  • anonymous: non-authenticated users

  • users: authenticated users

  • self: the user associated with the entry

  • dn=regexp: those users matching the regular expression

The who directive can also be set using the “domain” directive:

domain=regexp

Another alternative is specifying access based on attributes belonging to an entry:

dnattr=attribute_name

Controling privileges

The type_of_access directive specifies what users can do with the data. Any of the following values may occur:

  1. none

  2. auth

  3. compare

  4. search

  5. read

  6. write

Each permission includes all the lesser permissions, for instance giving search access is equal to giving bind (auth), compare and search permissions.

Procedures

General processing

Upon receiving a request, the slapd daemon compares the user's entry and/or attributes to the difinitions in the configuration file. Configurations for the local database are examined first, then any global directives are processed.

Then, each directive is processed in the order in which it appears in the configuration file. The comparison stops at the first match.

In the second stage, the who selectors are examined, in the order in which they appear.

And last, the type of access is examined: if the configuration file holds a definition that is equal to or more than the requested permission, access is granted.

Since the order is important, more specific directives should precede more vague ones in the configuration file.

Implicit deny

If no “access to” directive is matched, or if, after passing the first test, no match for the “who” identifier is found, access is denied by default. Think of this as every “by who type_of_access” definition being ended implicitly by an additional “by * none” line, and every “access to” entry being closed with “to * by * none”.

The slapd.conf man page contains additional examples.