2002-06-13 11:59:10 +08:00
|
|
|
.TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
|
2004-01-02 03:15:16 +08:00
|
|
|
.\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved.
|
2001-11-04 02:03:10 +08:00
|
|
|
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
|
|
|
|
.SH NAME
|
|
|
|
slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
|
|
|
|
.SH SYNOPSIS
|
|
|
|
ETCDIR/slapd.conf
|
|
|
|
.SH DESCRIPTION
|
2001-11-04 05:53:44 +08:00
|
|
|
The
|
|
|
|
.BR slapd.conf (5)
|
|
|
|
file contains configuration information for the
|
2001-11-04 02:03:10 +08:00
|
|
|
.BR slapd (8)
|
|
|
|
daemon. This configuration file is also used by the
|
|
|
|
.BR slurpd (8)
|
|
|
|
replication daemon and by the SLAPD tools
|
|
|
|
.BR slapadd (8),
|
|
|
|
.BR slapcat (8),
|
|
|
|
and
|
|
|
|
.BR slapindex (8).
|
|
|
|
.LP
|
|
|
|
The
|
|
|
|
.B slapd.conf
|
|
|
|
file consists of a series of global configuration options that apply to
|
|
|
|
.B slapd
|
|
|
|
as a whole (including all backends), followed by zero or more database
|
|
|
|
backend definitions that contain information specific to a backend
|
|
|
|
instance.
|
|
|
|
.LP
|
|
|
|
The general format of
|
|
|
|
.B slapd.conf
|
|
|
|
is as follows:
|
|
|
|
.LP
|
|
|
|
.nf
|
|
|
|
# comment - these options apply to every database
|
|
|
|
<global configuration options>
|
|
|
|
# first database definition & configuration options
|
|
|
|
database <backend 1 type>
|
|
|
|
<configuration options specific to backend 1>
|
|
|
|
# subsequent database definitions & configuration options
|
|
|
|
...
|
|
|
|
.fi
|
|
|
|
.LP
|
2003-02-25 03:53:03 +08:00
|
|
|
Both the global configuration and each backend-specific section can
|
|
|
|
contain access information. Backend-specific access control
|
|
|
|
directives are used for those entries that belong to the backend,
|
|
|
|
according to their naming context. In case no access control
|
|
|
|
directives are defined for a backend or those which are defined are
|
|
|
|
not applicable, the directives from the global configuration section
|
|
|
|
are then used.
|
2001-11-04 02:03:10 +08:00
|
|
|
.LP
|
2003-02-25 03:53:03 +08:00
|
|
|
For entries not held in any backend (such as a root DSE), the
|
|
|
|
directives of the first backend (and any global directives) are
|
|
|
|
used.
|
|
|
|
.LP
|
|
|
|
Arguments that should be replaced by actual text are shown in
|
2003-12-16 01:55:55 +08:00
|
|
|
brackets <>.
|
|
|
|
.SH THE ACCESS DIRECTIVE
|
|
|
|
The structure of the access control directives is
|
2001-11-04 02:03:10 +08:00
|
|
|
.TP
|
2002-05-02 00:38:30 +08:00
|
|
|
.B access to <what> "[ by <who> <access> [ <control> ] ]+"
|
2001-11-04 02:03:10 +08:00
|
|
|
Grant access (specified by
|
|
|
|
.BR <access> )
|
|
|
|
to a set of entries and/or attributes (specified by
|
|
|
|
.BR <what> )
|
|
|
|
by one or more requestors (specified by
|
|
|
|
.BR <who> ).
|
2003-12-16 01:55:55 +08:00
|
|
|
.SH THE <WHAT> FIELD
|
2001-11-04 02:03:10 +08:00
|
|
|
The field
|
|
|
|
.BR <what>
|
|
|
|
specifies the entity the access control directive applies to.
|
|
|
|
It can have the forms
|
|
|
|
.LP
|
|
|
|
.nf
|
|
|
|
*
|
2003-05-30 13:24:39 +08:00
|
|
|
[dn[.<dnstyle>]=<DN>]
|
2001-11-04 02:03:10 +08:00
|
|
|
[filter=<ldapfilter>]
|
2003-12-16 08:49:10 +08:00
|
|
|
[attrs=<attrlist>[ val[.<style>]=<attrval>]]
|
2001-11-04 02:03:10 +08:00
|
|
|
.fi
|
|
|
|
.LP
|
|
|
|
The wildcard
|
|
|
|
.B *
|
|
|
|
stands for all the entries.
|
|
|
|
.LP
|
|
|
|
The statement
|
2003-05-30 13:24:39 +08:00
|
|
|
.B dn=<DN>
|
2001-11-04 02:03:10 +08:00
|
|
|
selects the entries based on their naming context.
|
2003-05-30 13:24:39 +08:00
|
|
|
The pattern is a string representation of the entry's DN.
|
|
|
|
.BR base ,
|
|
|
|
the default,
|
2001-11-04 02:03:10 +08:00
|
|
|
or
|
|
|
|
.B exact
|
|
|
|
(an alias of
|
|
|
|
.BR base )
|
2003-12-20 23:29:05 +08:00
|
|
|
indicates the entry whose DN is equal to the pattern;
|
2001-11-04 02:03:10 +08:00
|
|
|
.B one
|
2003-12-20 23:29:05 +08:00
|
|
|
(synonym of
|
|
|
|
.BR onelevel )
|
2003-04-08 05:42:51 +08:00
|
|
|
indicates all the entries immediately below the
|
2001-11-04 02:03:10 +08:00
|
|
|
.BR pattern ,
|
2003-12-20 23:29:05 +08:00
|
|
|
.B sub
|
|
|
|
(synonym of
|
|
|
|
.BR subtree )
|
2003-04-08 05:42:51 +08:00
|
|
|
indicates all entries in the subtree at the pattern,
|
2001-11-04 02:03:10 +08:00
|
|
|
.B children
|
2003-04-08 05:42:51 +08:00
|
|
|
indicates all the entries below (subordinate to) the pattern.
|
2003-05-30 13:24:39 +08:00
|
|
|
.LP
|
|
|
|
If the
|
|
|
|
.B <dnstyle>
|
|
|
|
qualifier is
|
|
|
|
.BR regex ,
|
|
|
|
then the value is a regular expression pattern,
|
|
|
|
as detailed in
|
|
|
|
.BR regex (7),
|
|
|
|
matching a normalized string representation of the entry's DN.
|
|
|
|
The regex form of the pattern does not (yet) support UTF-8.
|
2001-11-04 02:03:10 +08:00
|
|
|
.LP
|
|
|
|
The statement
|
|
|
|
.B filter=<ldapfilter>
|
|
|
|
selects the entries based on a valid LDAP filter as described in RFC 2254.
|
|
|
|
.LP
|
|
|
|
The statement
|
|
|
|
.B attrs=<attrlist>
|
|
|
|
selects the attributes the access control rule applies to.
|
|
|
|
It is a comma-separated list of attribute types, plus the special names
|
|
|
|
.BR entry ,
|
|
|
|
indicating access to the entry itself, and
|
|
|
|
.BR children ,
|
2002-01-10 18:02:51 +08:00
|
|
|
indicating access to the entry's children. ObjectClass names may also
|
|
|
|
be specified in this list, which will affect all the attributes that
|
|
|
|
are required and/or allowed by that objectClass.
|
2003-12-16 08:49:10 +08:00
|
|
|
Actually, names in
|
|
|
|
.B <attrlist>
|
|
|
|
that are prefixed by
|
2003-12-18 01:36:41 +08:00
|
|
|
.B @
|
2003-12-18 01:48:56 +08:00
|
|
|
are directly treated as objectClass names. A name prefixed by
|
2003-12-16 08:49:10 +08:00
|
|
|
.B !
|
|
|
|
is also treated as an objectClass, but in this case the access rule
|
|
|
|
affects the attributes that are not required nor allowed
|
|
|
|
by that objectClass.
|
2001-11-04 02:03:10 +08:00
|
|
|
.LP
|
2003-09-21 18:34:40 +08:00
|
|
|
Using the form
|
|
|
|
.B attrs=<attr> val[.<style>]=<value>
|
|
|
|
specifies access to a particular value of a single attribute.
|
|
|
|
In this case, only a single attribute type may be given. A value
|
|
|
|
.B <style>
|
|
|
|
of
|
|
|
|
.B exact
|
|
|
|
(the default) uses the attribute's equality matching rule to compare the
|
2003-12-16 08:49:10 +08:00
|
|
|
value. If the value
|
2003-09-21 18:34:40 +08:00
|
|
|
.B <style>
|
|
|
|
is
|
|
|
|
.BR regex ,
|
|
|
|
the provided value is used as a regular expression pattern.
|
2003-12-16 08:49:10 +08:00
|
|
|
If the attribute has DN syntax, the value
|
|
|
|
.B <style>
|
|
|
|
can be any of
|
|
|
|
.BR base ,
|
|
|
|
.BR onelevel ,
|
|
|
|
.B subtree
|
|
|
|
or
|
|
|
|
.BR children ,
|
|
|
|
resulting in base, onelevel, subtree or children match, respectively.
|
2003-09-21 18:34:40 +08:00
|
|
|
.LP
|
|
|
|
The dn, filter, and attrs statements are additive; they can be used in sequence
|
2001-11-04 02:03:10 +08:00
|
|
|
to select entities the access rule applies to based on naming context,
|
|
|
|
value and attribute type simultaneously.
|
2003-12-16 01:55:55 +08:00
|
|
|
.SH THE <WHO> FIELD
|
2001-11-04 02:03:10 +08:00
|
|
|
The field
|
|
|
|
.B <who>
|
|
|
|
indicates whom the access rules apply to.
|
|
|
|
Multiple
|
|
|
|
.B <who>
|
|
|
|
statements can appear in an access control statement, indicating the
|
|
|
|
different access privileges to the same resource that apply to different
|
|
|
|
accessee.
|
|
|
|
It can have the forms
|
|
|
|
.LP
|
|
|
|
.nf
|
|
|
|
*
|
|
|
|
anonymous
|
|
|
|
users
|
|
|
|
self
|
|
|
|
|
2003-05-30 13:24:39 +08:00
|
|
|
dn[.<dnstyle>[,<modifier>]]=<DN>
|
2001-11-04 02:03:10 +08:00
|
|
|
dnattr=<attrname>
|
|
|
|
group[/<objectclass>[/<attrname>]]
|
2004-03-10 00:33:05 +08:00
|
|
|
[.<groupstyle>]=<group>
|
2004-01-15 07:11:48 +08:00
|
|
|
peername[.<peernamestyle>]=<peername>
|
2003-05-30 13:24:39 +08:00
|
|
|
sockname[.<style>]=<sockname>
|
|
|
|
domain[.<domainstyle>[,<modifier>]]=<domain>
|
|
|
|
sockurl[.<style>]=<sockurl>
|
2001-11-04 02:03:10 +08:00
|
|
|
set[.<style>]=<pattern>
|
|
|
|
|
2001-11-04 05:53:44 +08:00
|
|
|
ssf=<n>
|
|
|
|
transport_ssf=<n>
|
|
|
|
tls_ssf=<n>
|
|
|
|
sasl_ssf=<n>
|
|
|
|
|
2001-11-04 02:03:10 +08:00
|
|
|
aci=<attrname>
|
|
|
|
.fi
|
|
|
|
.LP
|
2004-01-15 07:11:48 +08:00
|
|
|
with
|
|
|
|
.LP
|
|
|
|
.nf
|
|
|
|
<dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
|
2004-03-10 00:33:05 +08:00
|
|
|
<groupstyle>={exact|expand}
|
2004-01-15 07:11:48 +08:00
|
|
|
<style>={exact|regex}
|
|
|
|
<peernamestyle>={exact|regex|ip|path}
|
|
|
|
<domainstyle>={exact|regex|sub(tree)}
|
|
|
|
<modifier>={expand}
|
|
|
|
.fi
|
|
|
|
.LP
|
2001-11-04 05:53:44 +08:00
|
|
|
They may be specified in combination.
|
2001-11-04 02:03:10 +08:00
|
|
|
.LP
|
|
|
|
.nf
|
|
|
|
.fi
|
|
|
|
.LP
|
|
|
|
The wildcard
|
|
|
|
.B *
|
|
|
|
refers to everybody.
|
|
|
|
.LP
|
|
|
|
The keyword
|
|
|
|
.B anonymous
|
2003-04-15 10:20:01 +08:00
|
|
|
means access is granted to unauthenticated clients; it is mostly used
|
2001-11-04 02:03:10 +08:00
|
|
|
to limit access to authentication resources (e.g. the
|
|
|
|
.B userPassword
|
2003-04-15 10:20:01 +08:00
|
|
|
attribute) to unauthenticated clients for authentication purposes.
|
2001-11-04 02:03:10 +08:00
|
|
|
.LP
|
|
|
|
The keyword
|
|
|
|
.B users
|
2003-04-15 10:20:01 +08:00
|
|
|
means access is granted to authenticated clients.
|
2001-11-04 02:03:10 +08:00
|
|
|
.LP
|
|
|
|
The keyword
|
|
|
|
.B self
|
|
|
|
means access to an entry is allowed to the entry itself (e.g. the entry
|
|
|
|
being accessed and the requesting entry must be the same).
|
|
|
|
.LP
|
|
|
|
The statement
|
2003-05-30 13:24:39 +08:00
|
|
|
.B dn=<DN>
|
2003-02-24 03:38:32 +08:00
|
|
|
means that access is granted to the matching DN.
|
|
|
|
The optional style qualifier
|
2001-11-04 02:03:10 +08:00
|
|
|
.B dnstyle
|
|
|
|
allows the same choices of the dn form of the
|
|
|
|
.B <what>
|
2003-02-24 03:38:32 +08:00
|
|
|
field. In addition, the
|
2001-11-04 02:03:10 +08:00
|
|
|
.B regex
|
2003-05-30 13:24:39 +08:00
|
|
|
style can exploit substring substitution of submatches in the
|
2001-11-04 02:03:10 +08:00
|
|
|
.B <what>
|
2003-02-24 03:38:32 +08:00
|
|
|
dn.regex clause by using the form
|
2001-11-04 02:03:10 +08:00
|
|
|
.BR $<digit> ,
|
|
|
|
with
|
|
|
|
.B digit
|
|
|
|
ranging from 1 to 9.
|
2003-11-01 22:14:09 +08:00
|
|
|
The style qualifier
|
|
|
|
allows an optional
|
|
|
|
.BR modifier .
|
|
|
|
At present, the only type allowed is
|
|
|
|
.BR expand ,
|
|
|
|
which causes substring substitution of submatches to take place
|
|
|
|
even if
|
|
|
|
.B dnstyle
|
|
|
|
is not
|
|
|
|
.BR regex .
|
2004-01-15 07:11:48 +08:00
|
|
|
It is perfectly useless to give any access privileges to a DN
|
|
|
|
that exactly matches the
|
|
|
|
.B rootdn
|
|
|
|
of the database the ACLs apply to, because it implicitly
|
|
|
|
possesses write privileges for the entire tree of that database.
|
2001-11-04 02:03:10 +08:00
|
|
|
.LP
|
|
|
|
The statement
|
|
|
|
.B dnattr=<attrname>
|
2003-02-24 03:38:32 +08:00
|
|
|
means that access is granted to requests whose DN is listed in the
|
2001-11-04 02:03:10 +08:00
|
|
|
entry being accessed under the
|
2003-09-21 18:45:57 +08:00
|
|
|
.B <attrname>
|
2001-11-04 02:03:10 +08:00
|
|
|
attribute.
|
|
|
|
.LP
|
|
|
|
The statement
|
2003-05-30 13:24:39 +08:00
|
|
|
.B group=<group>
|
2003-02-24 03:38:32 +08:00
|
|
|
means that access is granted to requests whose DN is listed
|
|
|
|
in the group entry whose DN is given by
|
2003-09-21 18:45:57 +08:00
|
|
|
.BR <group> .
|
2001-11-04 02:03:10 +08:00
|
|
|
The optional parameters
|
2003-09-21 18:45:57 +08:00
|
|
|
.B <objectclass>
|
2001-11-04 02:03:10 +08:00
|
|
|
and
|
2003-09-21 18:45:57 +08:00
|
|
|
.B <attrname>
|
2001-11-04 02:03:10 +08:00
|
|
|
define the objectClass and the member attributeType of the group entry.
|
2003-02-24 03:38:32 +08:00
|
|
|
The optional style qualifier
|
2003-09-21 18:45:57 +08:00
|
|
|
.B <style>
|
2001-11-04 02:03:10 +08:00
|
|
|
can be
|
2004-03-10 00:33:05 +08:00
|
|
|
.BR expand ,
|
2001-11-04 02:03:10 +08:00
|
|
|
which means that
|
2003-09-21 18:45:57 +08:00
|
|
|
.B <group>
|
2003-10-15 16:04:25 +08:00
|
|
|
will be expanded as a replacement string (but not as a regular expression)
|
|
|
|
according to regex (7), and
|
2004-03-10 00:33:05 +08:00
|
|
|
.BR exact ,
|
2003-02-24 03:38:32 +08:00
|
|
|
which means that exact match will be used.
|
2001-11-04 02:03:10 +08:00
|
|
|
.LP
|
2003-09-21 18:45:57 +08:00
|
|
|
For static groups, the specified attributeType must have
|
|
|
|
.B DistinguishedName
|
|
|
|
or
|
|
|
|
.B NameAndOptionalUID
|
|
|
|
syntax. For dynamic groups the attributeType must
|
|
|
|
be a subtype of the
|
|
|
|
.B labeledURI
|
2003-09-21 18:52:44 +08:00
|
|
|
attributeType. Only LDAP URIs of the form
|
|
|
|
.B ldap:///<base>??<scope>?<filter>
|
2004-03-10 00:33:05 +08:00
|
|
|
will be evaluated in a dynamic group, by searching the local server only.
|
2003-09-21 18:45:57 +08:00
|
|
|
.LP
|
2001-11-04 02:03:10 +08:00
|
|
|
The statements
|
2003-05-30 13:24:39 +08:00
|
|
|
.BR peername=<peername> ,
|
|
|
|
.BR sockname=<sockname> ,
|
|
|
|
.BR domain=<domain> ,
|
2001-11-04 02:03:10 +08:00
|
|
|
and
|
2003-05-30 13:24:39 +08:00
|
|
|
.BR sockurl=<sockurl>
|
2004-01-15 07:11:48 +08:00
|
|
|
mean that the contacting host IP (in the form
|
|
|
|
.BR "IP=<ip>:<port>" )
|
|
|
|
or the contacting host named pipe file name (in the form
|
|
|
|
.B "PATH=<path>"
|
|
|
|
if connecting through a named pipe) for
|
2001-11-04 02:03:10 +08:00
|
|
|
.BR peername ,
|
|
|
|
the named pipe file name for
|
|
|
|
.BR sockname ,
|
|
|
|
the contacting host name for
|
|
|
|
.BR domain ,
|
|
|
|
and the contacting URL for
|
|
|
|
.BR sockurl
|
|
|
|
are compared against
|
|
|
|
.B pattern
|
|
|
|
to determine access.
|
|
|
|
The same
|
|
|
|
.B style
|
|
|
|
rules for pattern match described for the
|
|
|
|
.B group
|
2002-04-08 17:43:22 +08:00
|
|
|
case apply.
|
|
|
|
The
|
2004-01-15 07:11:48 +08:00
|
|
|
.B exact
|
|
|
|
style of the
|
|
|
|
.BR peername
|
|
|
|
clause (the default) implies a case-exact match on the client's
|
|
|
|
.BR IP ,
|
|
|
|
including the
|
|
|
|
.B "IP="
|
|
|
|
prefix and the trailing
|
|
|
|
.BR ":<port>" ,
|
|
|
|
or the client's
|
|
|
|
.BR path ,
|
|
|
|
including the
|
|
|
|
.B "PATH="
|
|
|
|
prefix if connecting through a named pipe.
|
|
|
|
The special
|
|
|
|
.B ip
|
|
|
|
style interprets the pattern as
|
|
|
|
.BR <peername>=<ip>[%<mask>][{<n>}] ,
|
|
|
|
where
|
|
|
|
.B <ip>
|
|
|
|
and
|
|
|
|
.B <mask>
|
|
|
|
are dotted digit representations of the IP and the mask, while
|
|
|
|
.BR <n> ,
|
|
|
|
delimited by curly brackets, is an optional port.
|
|
|
|
When checking access privileges, the IP portion of the
|
|
|
|
.BR peername
|
|
|
|
is extracted, eliminating the
|
|
|
|
.B "IP="
|
|
|
|
prefix and the
|
|
|
|
.B ":<port>"
|
|
|
|
part, and it is compared against the
|
|
|
|
.B <ip>
|
|
|
|
portion of the pattern after masking with
|
|
|
|
.BR <mask> .
|
|
|
|
As an example,
|
|
|
|
.B peername.ip=127.0.0.1
|
|
|
|
alows connections only from localhost,
|
|
|
|
.B peername.ip=192.168.1.0%255.255.255.0
|
|
|
|
allows connections from any IP in the 192.168.1 class C domain, and
|
|
|
|
.B peername.ip=192.168.1.16%255.255.255.240{9009}
|
|
|
|
allows connections from any IP in the 192.168.1.[16-31] range
|
|
|
|
of the same domain, only if port 9009 is used.
|
|
|
|
The special
|
|
|
|
.B path
|
|
|
|
style eliminates the
|
|
|
|
.B "PATH="
|
|
|
|
prefix from the
|
|
|
|
.B peername
|
|
|
|
when connecting through a named pipe, and performs an exact match
|
|
|
|
on the given pattern.
|
|
|
|
The
|
2002-04-08 17:43:22 +08:00
|
|
|
.BR domain
|
|
|
|
clause also allows the
|
|
|
|
.B subtree
|
|
|
|
style, which succeeds when a fully qualified name exactly matches the
|
|
|
|
.BR domain
|
|
|
|
pattern, or its trailing part, after a
|
|
|
|
.BR dot ,
|
|
|
|
exactly matches the
|
|
|
|
.BR domain
|
|
|
|
pattern.
|
2004-01-15 07:11:48 +08:00
|
|
|
As an example,
|
|
|
|
.B domain.subtree=example.com
|
|
|
|
will match www.example.com, but will not match www.anotherexample.com.
|
2003-02-08 15:40:19 +08:00
|
|
|
The
|
|
|
|
.B domain
|
|
|
|
of the contacting host is determined by performing a DNS reverse lookup.
|
|
|
|
As this lookup can easily be spoofed, use of the
|
|
|
|
.B domain
|
|
|
|
statement is strongly discouraged. By default, reverse lookups are disabled.
|
2003-11-01 22:14:09 +08:00
|
|
|
The optional
|
|
|
|
.B domainstyle
|
|
|
|
qualifier of the
|
|
|
|
.B domain
|
|
|
|
clause allows a
|
|
|
|
.B modifier
|
|
|
|
option; the only value currently supported is
|
|
|
|
.BR expand ,
|
|
|
|
which causes substring substitution of submatches to take place even if
|
|
|
|
the
|
|
|
|
.B domainstyle
|
|
|
|
is not
|
|
|
|
.BR regex ,
|
|
|
|
much like the analogous usage in
|
|
|
|
.B dn
|
|
|
|
clause.
|
2001-11-04 02:03:10 +08:00
|
|
|
.LP
|
|
|
|
The statement
|
|
|
|
.B set=<pattern>
|
|
|
|
is undocumented yet.
|
|
|
|
.LP
|
|
|
|
The statement
|
|
|
|
.B aci=<attrname>
|
|
|
|
means that the access control is determined by the values in the
|
|
|
|
.B attrname
|
|
|
|
of the entry itself.
|
|
|
|
ACIs are experimental; they must be enabled at compile time.
|
|
|
|
.LP
|
2001-11-04 05:53:44 +08:00
|
|
|
The statements
|
2001-11-04 02:03:10 +08:00
|
|
|
.BR ssf=<n> ,
|
|
|
|
.BR transport_ssf=<n> ,
|
|
|
|
.BR tls_ssf=<n> ,
|
|
|
|
and
|
|
|
|
.BR sasl_ssf=<n>
|
2001-11-04 05:53:44 +08:00
|
|
|
set the required Security Strength Factor (ssf) required to grant access.
|
2003-12-16 01:55:55 +08:00
|
|
|
.SH THE <ACCESS> FIELD
|
2001-11-04 02:03:10 +08:00
|
|
|
The field
|
|
|
|
.B <access> ::= [self]{<level>|<priv>}
|
|
|
|
determines the access level or the specific access privileges the
|
|
|
|
.B who
|
|
|
|
field will have.
|
|
|
|
Its component are defined as
|
|
|
|
.LP
|
|
|
|
.nf
|
|
|
|
<level> ::= none|auth|compare|search|read|write
|
2003-12-19 13:06:51 +08:00
|
|
|
<priv> ::= {=|+|-}{w|r|s|c|x|0}+
|
2001-11-04 02:03:10 +08:00
|
|
|
.fi
|
|
|
|
.LP
|
|
|
|
The modifier
|
|
|
|
.B self
|
|
|
|
allows special operations like having a certain access level or privilege
|
|
|
|
only in case the operation involves the name of the user that's requesting
|
|
|
|
the access.
|
|
|
|
It implies the user that requests access is bound.
|
|
|
|
An example is the
|
2001-11-04 05:53:44 +08:00
|
|
|
.B selfwrite
|
2001-11-04 02:03:10 +08:00
|
|
|
access to the member attribute of a group, which allows one to add/delete
|
|
|
|
its own DN from the member list of a group, without affecting other members.
|
|
|
|
.LP
|
|
|
|
The
|
|
|
|
.B level
|
|
|
|
access model relies on an incremental interpretation of the access
|
|
|
|
privileges.
|
|
|
|
The possible levels are
|
|
|
|
.BR none ,
|
|
|
|
.BR auth ,
|
|
|
|
.BR compare ,
|
|
|
|
.BR search ,
|
|
|
|
.BR read ,
|
|
|
|
and
|
|
|
|
.BR write .
|
|
|
|
Each access level implies all the preceding ones, thus
|
|
|
|
.B write
|
|
|
|
access will imply all accesses.
|
|
|
|
While
|
|
|
|
.B none
|
|
|
|
is trivial,
|
|
|
|
.B auth
|
|
|
|
access means that one is allowed access to an attribute to perform
|
2001-11-04 05:53:44 +08:00
|
|
|
authentication/authorization operations (e.g.
|
2001-11-04 02:03:10 +08:00
|
|
|
.BR bind )
|
|
|
|
with no other access.
|
2003-04-15 10:20:01 +08:00
|
|
|
This is useful to grant unauthenticated clients the least possible
|
2001-11-04 02:03:10 +08:00
|
|
|
access level to critical resources, like passwords.
|
|
|
|
.LP
|
|
|
|
The
|
|
|
|
.B priv
|
|
|
|
access model relies on the explicit setting of access privileges
|
|
|
|
for each clause.
|
|
|
|
The
|
|
|
|
.B =
|
|
|
|
sign resets previously defined accesses; as a consequence, the final
|
|
|
|
access privileges will be only those defined by the clause.
|
|
|
|
The
|
|
|
|
.B +
|
|
|
|
and
|
|
|
|
.B -
|
|
|
|
signs add/remove access privileges to the existing ones.
|
|
|
|
The privileges are
|
|
|
|
.B w
|
|
|
|
for write,
|
|
|
|
.B r
|
|
|
|
for read,
|
|
|
|
.B s
|
|
|
|
for search,
|
|
|
|
.B c
|
|
|
|
for compare, and
|
|
|
|
.B x
|
|
|
|
for authentication.
|
2003-12-19 13:06:51 +08:00
|
|
|
More than one of the above privileges can be added in one statement.
|
|
|
|
.B 0
|
|
|
|
indicates no privileges and is used only by itself (e.g., +0).
|
2001-11-04 02:03:10 +08:00
|
|
|
.LP
|
|
|
|
The optional field
|
|
|
|
.B <control>
|
|
|
|
controls the flow of access rule application.
|
|
|
|
It can have the forms
|
|
|
|
.LP
|
|
|
|
.nf
|
|
|
|
stop
|
|
|
|
continue
|
|
|
|
break
|
|
|
|
.fi
|
|
|
|
.LP
|
|
|
|
where
|
|
|
|
.BR stop ,
|
|
|
|
the default, means access checking stops in case of match.
|
|
|
|
The other two forms are used to keep on processing access clauses.
|
|
|
|
In detail, the
|
|
|
|
.B continue
|
|
|
|
form allows for other
|
|
|
|
.B <who>
|
|
|
|
clauses in the same
|
|
|
|
.B <access>
|
|
|
|
clause to be considered, so that they may result in incrementally altering
|
|
|
|
the privileges, while the
|
|
|
|
.B break
|
|
|
|
form allows for other
|
|
|
|
.B <access>
|
|
|
|
clauses that match the same target to be processed.
|
|
|
|
Consider the (silly) example
|
|
|
|
.LP
|
|
|
|
.nf
|
|
|
|
access to dn.subtree="dc=example,dc=com" attrs=cn
|
|
|
|
by * =cs break
|
|
|
|
|
|
|
|
access to dn.subtree="ou=People,dc=example,dc=com"
|
|
|
|
by * +r
|
|
|
|
.fi
|
|
|
|
.LP
|
|
|
|
which allows search and compare privileges to everybody under
|
2002-04-13 23:07:40 +08:00
|
|
|
the "dc=example,dc=com" tree, with the second rule allowing
|
2001-11-04 02:03:10 +08:00
|
|
|
also read in the "ou=People" subtree,
|
|
|
|
or the (even more silly) example
|
|
|
|
.LP
|
|
|
|
.nf
|
|
|
|
access to dn.subtree="dc=example,dc=com" attrs=cn
|
|
|
|
by * =cs continue
|
|
|
|
by users +r
|
|
|
|
.fi
|
|
|
|
.LP
|
|
|
|
which grants everybody search and compare privileges, and adds read
|
2003-04-15 10:20:01 +08:00
|
|
|
privileges to authenticated clients.
|
2003-12-16 01:55:55 +08:00
|
|
|
.SH OPERATION REQUIREMENTS
|
|
|
|
Operations require different privileges on different portions of entries.
|
2003-12-16 02:41:23 +08:00
|
|
|
The following summary applies to primary database backends such as
|
|
|
|
the LDBM, BDB, and HDB backends. Requirements for other backends may
|
|
|
|
(and often do) differ.
|
|
|
|
.LP
|
2003-12-16 01:55:55 +08:00
|
|
|
The
|
|
|
|
.B add
|
2003-12-16 02:41:23 +08:00
|
|
|
operation requires
|
|
|
|
.B write (=w)
|
|
|
|
privileges on the pseudo-attribute
|
2003-12-16 01:55:55 +08:00
|
|
|
.B entry
|
|
|
|
of the entry being added, and
|
2003-12-16 02:41:23 +08:00
|
|
|
.B write (=w)
|
|
|
|
privileges on the pseudo-attribute
|
2003-12-16 01:55:55 +08:00
|
|
|
.B children
|
|
|
|
of the entry's parent.
|
2003-12-16 02:41:23 +08:00
|
|
|
.LP
|
2003-12-16 01:55:55 +08:00
|
|
|
The
|
|
|
|
.B bind
|
|
|
|
operation, when credentials are stored in the directory, requires
|
2003-12-16 02:41:23 +08:00
|
|
|
.B auth (=x)
|
2003-12-16 01:55:55 +08:00
|
|
|
privileges on the attribute the credentials are stored in (usually
|
|
|
|
.BR userPassword ).
|
2003-12-16 02:41:23 +08:00
|
|
|
.LP
|
2003-12-16 01:55:55 +08:00
|
|
|
The
|
|
|
|
.B compare
|
|
|
|
operation requires
|
2003-12-16 02:41:23 +08:00
|
|
|
.B compare (=c)
|
2003-12-16 01:55:55 +08:00
|
|
|
privileges on the attribute that is being compared.
|
2003-12-16 02:41:23 +08:00
|
|
|
.LP
|
2003-12-16 01:55:55 +08:00
|
|
|
The
|
|
|
|
.B delete
|
|
|
|
operation requires
|
2003-12-16 02:41:23 +08:00
|
|
|
.B write (=w)
|
|
|
|
privileges on the pseudo-attribute
|
2003-12-16 01:55:55 +08:00
|
|
|
.B entry
|
|
|
|
of the entry being deleted, and
|
2003-12-16 02:41:23 +08:00
|
|
|
.B write (=w)
|
2003-12-16 01:55:55 +08:00
|
|
|
privileges on the
|
|
|
|
.B children
|
2003-12-16 02:41:23 +08:00
|
|
|
pseudo-attribute of the entry's parent.
|
|
|
|
.LP
|
2003-12-16 01:55:55 +08:00
|
|
|
The
|
|
|
|
.B modify
|
|
|
|
operation requires
|
2003-12-16 02:41:23 +08:00
|
|
|
.B write (=w)
|
2003-12-16 01:55:55 +08:00
|
|
|
privileges on the attibutes being modified.
|
2003-12-16 02:41:23 +08:00
|
|
|
.LP
|
2003-12-16 01:55:55 +08:00
|
|
|
The
|
|
|
|
.B modrdn
|
|
|
|
operation requires
|
2003-12-16 02:41:23 +08:00
|
|
|
.B write (=w)
|
|
|
|
privileges on the pseudo-attribute
|
2003-12-16 01:55:55 +08:00
|
|
|
.B entry
|
|
|
|
of the entry whose relative DN is being modified,
|
2003-12-16 02:41:23 +08:00
|
|
|
.B write (=w)
|
|
|
|
privileges on the pseudo-attribute
|
2003-12-16 01:55:55 +08:00
|
|
|
.B children
|
|
|
|
of the old and new entry's parents, and
|
2003-12-16 02:41:23 +08:00
|
|
|
.B write (=w)
|
2003-12-16 01:55:55 +08:00
|
|
|
privileges on the attributes that are present in the new relative DN.
|
2003-12-16 02:41:23 +08:00
|
|
|
.B Write (=w)
|
2003-12-16 01:55:55 +08:00
|
|
|
privileges are also required on the attributes that are present
|
|
|
|
in the old relative DN if
|
|
|
|
.B deleteoldrdn
|
|
|
|
is set to 1.
|
2003-12-16 02:41:23 +08:00
|
|
|
.LP
|
2003-12-16 01:55:55 +08:00
|
|
|
The
|
|
|
|
.B search
|
|
|
|
operation, for each entry, requires
|
2003-12-16 02:41:23 +08:00
|
|
|
.B search (=s)
|
2003-12-16 01:55:55 +08:00
|
|
|
privileges on the attributes that are defined in the filter.
|
|
|
|
Then, the resulting entries are tested for
|
2003-12-16 02:41:23 +08:00
|
|
|
.B read (=r)
|
|
|
|
privileges on the pseudo-attribute
|
2003-12-16 01:55:55 +08:00
|
|
|
.B entry
|
2003-12-16 02:41:23 +08:00
|
|
|
(for read access to the entry itself)
|
2003-12-16 01:55:55 +08:00
|
|
|
and for
|
2003-12-16 02:41:23 +08:00
|
|
|
.B read (=r)
|
2003-12-16 01:55:55 +08:00
|
|
|
access on each value of each attribute that is requested.
|
2003-12-16 02:41:23 +08:00
|
|
|
Also, for each
|
|
|
|
.B referral
|
|
|
|
object used in generating continuation references, the operation requires
|
|
|
|
.B read (=r)
|
|
|
|
access on the pseudo-attribute
|
|
|
|
.B entry
|
|
|
|
(for read access to the referral object itself),
|
|
|
|
as well as
|
|
|
|
.B read (=r)
|
|
|
|
access to the attribute holding the referral information
|
|
|
|
(generally the
|
|
|
|
.B ref
|
|
|
|
attribute).
|
2003-12-18 08:27:01 +08:00
|
|
|
.LP
|
|
|
|
Some
|
|
|
|
.B controls
|
|
|
|
require specific access privileges.
|
|
|
|
The
|
|
|
|
.B proxyAuthz
|
|
|
|
control requires
|
|
|
|
.B auth (=x)
|
|
|
|
privileges on all the attributes that are present in the search filter
|
|
|
|
of the URI regexp maps (the right-hand side of the
|
|
|
|
.B sasl-regexp
|
|
|
|
directives).
|
|
|
|
It also requires
|
|
|
|
.B auth (=x)
|
|
|
|
privileges on the
|
|
|
|
.B saslAuthzTo
|
|
|
|
attribute of the authorizing identity and/or on the
|
|
|
|
.B saslAuthzFrom
|
|
|
|
attribute of the authorized identity.
|
2003-05-17 20:39:10 +08:00
|
|
|
.SH CAVEATS
|
|
|
|
It is strongly recommended to explicitly use the most appropriate
|
2003-12-16 19:20:59 +08:00
|
|
|
.BR <dnstyle> ,
|
2003-05-30 13:24:39 +08:00
|
|
|
to avoid possible incorrect specifications of the access rules as well
|
|
|
|
as for performance (avoid unrequired regex matching when an exact
|
|
|
|
match suffices) reasons.
|
2003-05-18 02:37:40 +08:00
|
|
|
.LP
|
2004-01-15 07:11:48 +08:00
|
|
|
An administrator might create a rule of the form:
|
2003-05-17 20:39:10 +08:00
|
|
|
.LP
|
|
|
|
.nf
|
2003-05-30 13:24:39 +08:00
|
|
|
access to dn.regex="dc=example,dc=com"
|
2003-05-17 20:39:10 +08:00
|
|
|
by ...
|
|
|
|
.fi
|
|
|
|
.LP
|
2003-05-18 02:37:40 +08:00
|
|
|
expecting it to match all entries in the subtree "dc=example,dc=com".
|
|
|
|
However, this rule actually matches any DN which contains anywhere
|
|
|
|
the substring "dc=example,dc=com". That is, the rule matches both
|
|
|
|
"uid=joe,dc=example,dc=com" and "dc=example,dc=com,uid=joe".
|
2003-05-17 20:39:10 +08:00
|
|
|
.LP
|
2003-05-18 02:37:40 +08:00
|
|
|
To match the desired subtree, the rule would be more precisely
|
|
|
|
written:
|
2003-05-17 20:39:10 +08:00
|
|
|
.LP
|
|
|
|
.nf
|
2003-05-18 02:37:40 +08:00
|
|
|
access to dn.regex="^(.+,)?dc=example,dc=com$$"
|
|
|
|
by ...
|
2003-05-17 20:39:10 +08:00
|
|
|
.fi
|
|
|
|
.LP
|
2003-05-18 02:37:40 +08:00
|
|
|
For performance reasons, it would be better to use the subtree style.
|
2003-05-17 20:39:10 +08:00
|
|
|
.LP
|
|
|
|
.nf
|
2003-05-30 13:24:39 +08:00
|
|
|
access to dn.subtree="dc=example,dc=com"
|
|
|
|
by ...
|
2003-05-17 20:39:10 +08:00
|
|
|
.fi
|
|
|
|
.LP
|
2003-12-16 19:20:59 +08:00
|
|
|
When writing submatch rules, it may be convenient to avoid unnecessary
|
|
|
|
.B regex
|
|
|
|
.B <dnstyle>
|
|
|
|
use; for instance, to allow access to the subtree of the user
|
|
|
|
that matches the
|
|
|
|
.B what
|
|
|
|
clause, one could use
|
|
|
|
.LP
|
|
|
|
.nf
|
|
|
|
access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$$"
|
|
|
|
by dn.regex="^uid=$1,dc=example,dc=com$$" write
|
|
|
|
by ...
|
|
|
|
.fi
|
|
|
|
.LP
|
|
|
|
However, since all that is required in the
|
|
|
|
.B to
|
|
|
|
clause is substring expansion, a more efficient solution is
|
|
|
|
.LP
|
|
|
|
.nf
|
|
|
|
access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$$"
|
|
|
|
by dn.exact,expand="uid=$1,dc=example,dc=com" write
|
|
|
|
by ...
|
|
|
|
.fi
|
|
|
|
.LP
|
|
|
|
In fact, while a
|
|
|
|
.B <dnstyle>
|
|
|
|
of
|
|
|
|
.B regex
|
|
|
|
implies substring expansion,
|
|
|
|
.BR exact ,
|
|
|
|
as well as all the other DN specific
|
|
|
|
.B <dnstyle>
|
|
|
|
values, does not, so it must be explicitly requested.
|
|
|
|
.LP
|
2001-11-04 02:03:10 +08:00
|
|
|
.SH FILES
|
2002-05-09 10:07:41 +08:00
|
|
|
.TP
|
2001-11-04 02:03:10 +08:00
|
|
|
ETCDIR/slapd.conf
|
2002-05-09 10:07:41 +08:00
|
|
|
default slapd configuration file
|
2001-11-04 02:03:10 +08:00
|
|
|
.SH SEE ALSO
|
|
|
|
.BR slapd (8),
|
|
|
|
.LP
|
|
|
|
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
|
|
|
|
.SH ACKNOWLEDGEMENTS
|
2001-11-04 05:53:44 +08:00
|
|
|
.B OpenLDAP
|
2001-11-04 02:03:10 +08:00
|
|
|
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
|
2001-11-04 05:53:44 +08:00
|
|
|
.B OpenLDAP
|
2001-11-04 02:03:10 +08:00
|
|
|
is derived from University of Michigan LDAP 3.3 Release.
|