openldap/doc/man/man5/slapd.access.5

494 lines
12 KiB
Groff
Raw Normal View History

2002-06-13 11:59:10 +08:00
.TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2003-01-04 04:20:47 +08:00
.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
2001-11-04 02:03:10 +08:00
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
2001-11-04 05:53:44 +08:00
The
.BR slapd.conf (5)
file contains configuration information for the
2001-11-04 02:03:10 +08:00
.BR slapd (8)
daemon. This configuration file is also used by the
.BR slurpd (8)
replication daemon and by the SLAPD tools
.BR slapadd (8),
.BR slapcat (8),
and
.BR slapindex (8).
.LP
The
.B slapd.conf
file consists of a series of global configuration options that apply to
.B slapd
as a whole (including all backends), followed by zero or more database
backend definitions that contain information specific to a backend
instance.
.LP
The general format of
.B slapd.conf
is as follows:
.LP
.nf
# comment - these options apply to every database
<global configuration options>
# first database definition & configuration options
database <backend 1 type>
<configuration options specific to backend 1>
# subsequent database definitions & configuration options
...
.fi
.LP
Both the global configuration and each backend-specific section can
contain access information. Backend-specific access control
directives are used for those entries that belong to the backend,
according to their naming context. In case no access control
directives are defined for a backend or those which are defined are
not applicable, the directives from the global configuration section
are then used.
2001-11-04 02:03:10 +08:00
.LP
For entries not held in any backend (such as a root DSE), the
directives of the first backend (and any global directives) are
used.
.LP
Arguments that should be replaced by actual text are shown in
brackets <>. The structure of the access control directives is
2001-11-04 02:03:10 +08:00
.TP
2002-05-02 00:38:30 +08:00
.B access to <what> "[ by <who> <access> [ <control> ] ]+"
2001-11-04 02:03:10 +08:00
Grant access (specified by
.BR <access> )
to a set of entries and/or attributes (specified by
.BR <what> )
by one or more requestors (specified by
.BR <who> ).
.LP
The field
.BR <what>
specifies the entity the access control directive applies to.
It can have the forms
.LP
.nf
*
[dn[.<dnstyle>]=<DN>]
2001-11-04 02:03:10 +08:00
[filter=<ldapfilter>]
[attrs=<attrlist>]
.fi
.LP
The wildcard
.B *
stands for all the entries.
.LP
The statement
.B dn=<DN>
2001-11-04 02:03:10 +08:00
selects the entries based on their naming context.
The pattern is a string representation of the entry's DN.
.BR base ,
the default,
2001-11-04 02:03:10 +08:00
or
.B exact
(an alias of
.BR base )
2003-02-24 03:38:32 +08:00
indicates the entry whose DN is equal to the pattern.
2001-11-04 02:03:10 +08:00
.B one
2003-04-08 05:42:51 +08:00
indicates all the entries immediately below the
2001-11-04 02:03:10 +08:00
.BR pattern ,
.B subtree
2003-04-08 05:42:51 +08:00
indicates all entries in the subtree at the pattern,
2001-11-04 02:03:10 +08:00
.B children
2003-04-08 05:42:51 +08:00
indicates all the entries below (subordinate to) the pattern.
.LP
If the
.B <dnstyle>
qualifier is
.BR regex ,
then the value is a regular expression pattern,
as detailed in
.BR regex (7),
matching a normalized string representation of the entry's DN.
The regex form of the pattern does not (yet) support UTF-8.
2001-11-04 02:03:10 +08:00
.LP
The statement
.B filter=<ldapfilter>
selects the entries based on a valid LDAP filter as described in RFC 2254.
.LP
The statement
.B attrs=<attrlist>
selects the attributes the access control rule applies to.
It is a comma-separated list of attribute types, plus the special names
.BR entry ,
indicating access to the entry itself, and
.BR children ,
indicating access to the entry's children. ObjectClass names may also
be specified in this list, which will affect all the attributes that
are required and/or allowed by that objectClass.
2001-11-04 02:03:10 +08:00
.LP
2003-09-21 18:34:40 +08:00
Using the form
.B attrs=<attr> val[.<style>]=<value>
specifies access to a particular value of a single attribute.
In this case, only a single attribute type may be given. A value
.B <style>
of
.B exact
(the default) uses the attribute's equality matching rule to compare the
value. If the
.B <style>
is
.BR regex ,
the provided value is used as a regular expression pattern.
.LP
The dn, filter, and attrs statements are additive; they can be used in sequence
2001-11-04 02:03:10 +08:00
to select entities the access rule applies to based on naming context,
value and attribute type simultaneously.
.LP
The field
.B <who>
indicates whom the access rules apply to.
Multiple
.B <who>
statements can appear in an access control statement, indicating the
different access privileges to the same resource that apply to different
accessee.
It can have the forms
.LP
.nf
*
anonymous
users
self
dn[.<dnstyle>[,<modifier>]]=<DN>
2001-11-04 02:03:10 +08:00
dnattr=<attrname>
group[/<objectclass>[/<attrname>]]
[.<style>]=<group>
peername[.<style>]=<peername>
sockname[.<style>]=<sockname>
domain[.<domainstyle>[,<modifier>]]=<domain>
sockurl[.<style>]=<sockurl>
2001-11-04 02:03:10 +08:00
set[.<style>]=<pattern>
2001-11-04 05:53:44 +08:00
ssf=<n>
transport_ssf=<n>
tls_ssf=<n>
sasl_ssf=<n>
2001-11-04 02:03:10 +08:00
aci=<attrname>
.fi
.LP
2001-11-04 05:53:44 +08:00
They may be specified in combination.
2001-11-04 02:03:10 +08:00
.LP
.nf
.fi
.LP
The wildcard
.B *
refers to everybody.
.LP
The keyword
.B anonymous
2003-04-15 10:20:01 +08:00
means access is granted to unauthenticated clients; it is mostly used
2001-11-04 02:03:10 +08:00
to limit access to authentication resources (e.g. the
.B userPassword
2003-04-15 10:20:01 +08:00
attribute) to unauthenticated clients for authentication purposes.
2001-11-04 02:03:10 +08:00
.LP
The keyword
.B users
2003-04-15 10:20:01 +08:00
means access is granted to authenticated clients.
2001-11-04 02:03:10 +08:00
.LP
The keyword
.B self
means access to an entry is allowed to the entry itself (e.g. the entry
being accessed and the requesting entry must be the same).
.LP
The statement
.B dn=<DN>
2003-02-24 03:38:32 +08:00
means that access is granted to the matching DN.
The optional style qualifier
2001-11-04 02:03:10 +08:00
.B dnstyle
allows the same choices of the dn form of the
.B <what>
2003-02-24 03:38:32 +08:00
field. In addition, the
2001-11-04 02:03:10 +08:00
.B regex
style can exploit substring substitution of submatches in the
2001-11-04 02:03:10 +08:00
.B <what>
2003-02-24 03:38:32 +08:00
dn.regex clause by using the form
2001-11-04 02:03:10 +08:00
.BR $<digit> ,
with
.B digit
ranging from 1 to 9.
.LP
The statement
.B dnattr=<attrname>
2003-02-24 03:38:32 +08:00
means that access is granted to requests whose DN is listed in the
2001-11-04 02:03:10 +08:00
entry being accessed under the
2003-09-21 18:45:57 +08:00
.B <attrname>
2001-11-04 02:03:10 +08:00
attribute.
.LP
The statement
.B group=<group>
2003-02-24 03:38:32 +08:00
means that access is granted to requests whose DN is listed
in the group entry whose DN is given by
2003-09-21 18:45:57 +08:00
.BR <group> .
2001-11-04 02:03:10 +08:00
The optional parameters
2003-09-21 18:45:57 +08:00
.B <objectclass>
2001-11-04 02:03:10 +08:00
and
2003-09-21 18:45:57 +08:00
.B <attrname>
2001-11-04 02:03:10 +08:00
define the objectClass and the member attributeType of the group entry.
2003-02-24 03:38:32 +08:00
The optional style qualifier
2003-09-21 18:45:57 +08:00
.B <style>
2001-11-04 02:03:10 +08:00
can be
.BR regex ,
which means that
2003-09-21 18:45:57 +08:00
.B <group>
will be expanded according to regex (7), and
2001-11-04 02:03:10 +08:00
.B base
or
.B exact
(an alias of
.BR base ),
2003-02-24 03:38:32 +08:00
which means that exact match will be used.
2001-11-04 02:03:10 +08:00
.LP
2003-09-21 18:45:57 +08:00
For static groups, the specified attributeType must have
.B DistinguishedName
or
.B NameAndOptionalUID
syntax. For dynamic groups the attributeType must
be a subtype of the
.B labeledURI
2003-09-21 18:52:44 +08:00
attributeType. Only LDAP URIs of the form
.B ldap:///<base>??<scope>?<filter>
will be evaluated in a dynamic group.
2003-09-21 18:45:57 +08:00
.LP
2001-11-04 02:03:10 +08:00
The statements
.BR peername=<peername> ,
.BR sockname=<sockname> ,
.BR domain=<domain> ,
2001-11-04 02:03:10 +08:00
and
.BR sockurl=<sockurl>
2001-11-04 02:03:10 +08:00
mean that the contacting host IP for
.BR peername ,
the named pipe file name for
.BR sockname ,
the contacting host name for
.BR domain ,
and the contacting URL for
.BR sockurl
are compared against
.B pattern
to determine access.
The same
.B style
rules for pattern match described for the
.B group
case apply.
The
.BR domain
clause also allows the
.B subtree
style, which succeeds when a fully qualified name exactly matches the
.BR domain
pattern, or its trailing part, after a
.BR dot ,
exactly matches the
.BR domain
pattern.
The
.B domain
of the contacting host is determined by performing a DNS reverse lookup.
As this lookup can easily be spoofed, use of the
.B domain
statement is strongly discouraged. By default, reverse lookups are disabled.
2001-11-04 02:03:10 +08:00
.LP
The statement
.B set=<pattern>
is undocumented yet.
.LP
The statement
.B aci=<attrname>
means that the access control is determined by the values in the
.B attrname
of the entry itself.
ACIs are experimental; they must be enabled at compile time.
.LP
2001-11-04 05:53:44 +08:00
The statements
2001-11-04 02:03:10 +08:00
.BR ssf=<n> ,
.BR transport_ssf=<n> ,
.BR tls_ssf=<n> ,
and
.BR sasl_ssf=<n>
2001-11-04 05:53:44 +08:00
set the required Security Strength Factor (ssf) required to grant access.
2001-11-04 02:03:10 +08:00
.LP
The field
.B <access> ::= [self]{<level>|<priv>}
determines the access level or the specific access privileges the
.B who
field will have.
Its component are defined as
.LP
.nf
<level> ::= none|auth|compare|search|read|write
<priv> ::= {=|+|-}{w|r|s|c|x}+
.fi
.LP
The modifier
.B self
allows special operations like having a certain access level or privilege
only in case the operation involves the name of the user that's requesting
the access.
It implies the user that requests access is bound.
An example is the
2001-11-04 05:53:44 +08:00
.B selfwrite
2001-11-04 02:03:10 +08:00
access to the member attribute of a group, which allows one to add/delete
its own DN from the member list of a group, without affecting other members.
.LP
The
.B level
access model relies on an incremental interpretation of the access
privileges.
The possible levels are
.BR none ,
.BR auth ,
.BR compare ,
.BR search ,
.BR read ,
and
.BR write .
Each access level implies all the preceding ones, thus
.B write
access will imply all accesses.
While
.B none
is trivial,
.B auth
access means that one is allowed access to an attribute to perform
2001-11-04 05:53:44 +08:00
authentication/authorization operations (e.g.
2001-11-04 02:03:10 +08:00
.BR bind )
with no other access.
2003-04-15 10:20:01 +08:00
This is useful to grant unauthenticated clients the least possible
2001-11-04 02:03:10 +08:00
access level to critical resources, like passwords.
.LP
The
.B priv
access model relies on the explicit setting of access privileges
for each clause.
The
.B =
sign resets previously defined accesses; as a consequence, the final
access privileges will be only those defined by the clause.
The
.B +
and
.B -
signs add/remove access privileges to the existing ones.
The privileges are
.B w
for write,
.B r
for read,
.B s
for search,
.B c
for compare, and
.B x
for authentication.
More than one privilege can be added in one statement.
.LP
The optional field
.B <control>
controls the flow of access rule application.
It can have the forms
.LP
.nf
stop
continue
break
.fi
.LP
where
.BR stop ,
the default, means access checking stops in case of match.
The other two forms are used to keep on processing access clauses.
In detail, the
.B continue
form allows for other
.B <who>
clauses in the same
.B <access>
clause to be considered, so that they may result in incrementally altering
the privileges, while the
.B break
form allows for other
.B <access>
clauses that match the same target to be processed.
Consider the (silly) example
.LP
.nf
access to dn.subtree="dc=example,dc=com" attrs=cn
by * =cs break
access to dn.subtree="ou=People,dc=example,dc=com"
by * +r
.fi
.LP
which allows search and compare privileges to everybody under
2002-04-13 23:07:40 +08:00
the "dc=example,dc=com" tree, with the second rule allowing
2001-11-04 02:03:10 +08:00
also read in the "ou=People" subtree,
or the (even more silly) example
.LP
.nf
access to dn.subtree="dc=example,dc=com" attrs=cn
by * =cs continue
by users +r
.fi
.LP
which grants everybody search and compare privileges, and adds read
2003-04-15 10:20:01 +08:00
privileges to authenticated clients.
2003-05-17 20:39:10 +08:00
.SH CAVEATS
It is strongly recommended to explicitly use the most appropriate
DN
.BR style ,
to avoid possible incorrect specifications of the access rules as well
as for performance (avoid unrequired regex matching when an exact
match suffices) reasons.
2003-05-18 02:37:40 +08:00
.LP
An adminisistrator might create a rule of the form:
2003-05-17 20:39:10 +08:00
.LP
.nf
access to dn.regex="dc=example,dc=com"
2003-05-17 20:39:10 +08:00
by ...
.fi
.LP
2003-05-18 02:37:40 +08:00
expecting it to match all entries in the subtree "dc=example,dc=com".
However, this rule actually matches any DN which contains anywhere
the substring "dc=example,dc=com". That is, the rule matches both
"uid=joe,dc=example,dc=com" and "dc=example,dc=com,uid=joe".
2003-05-17 20:39:10 +08:00
.LP
2003-05-18 02:37:40 +08:00
To match the desired subtree, the rule would be more precisely
written:
2003-05-17 20:39:10 +08:00
.LP
.nf
2003-05-18 02:37:40 +08:00
access to dn.regex="^(.+,)?dc=example,dc=com$$"
by ...
2003-05-17 20:39:10 +08:00
.fi
.LP
2003-05-18 02:37:40 +08:00
For performance reasons, it would be better to use the subtree style.
2003-05-17 20:39:10 +08:00
.LP
.nf
access to dn.subtree="dc=example,dc=com"
by ...
2003-05-17 20:39:10 +08:00
.fi
.LP
2001-11-04 02:03:10 +08:00
.SH FILES
.TP
2001-11-04 02:03:10 +08:00
ETCDIR/slapd.conf
default slapd configuration file
2001-11-04 02:03:10 +08:00
.SH SEE ALSO
.BR slapd (8),
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
2001-11-04 05:53:44 +08:00
.B OpenLDAP
2001-11-04 02:03:10 +08:00
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
2001-11-04 05:53:44 +08:00
.B OpenLDAP
2001-11-04 02:03:10 +08:00
is derived from University of Michigan LDAP 3.3 Release.