# $OpenLDAP$ # Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved. # COPYING RESTRICTIONS APPLY, see COPYRIGHT. H1: Access Control Access to your directory can be configured via two methods, the first using {{SECT:The slapd Configuration File}} and the second using the {{slapd-config}}(5) format ({{SECT:Configuring slapd}}). H2: Static Access Control Configuration Access to entries and attributes is controlled by the access configuration file directive. The general form of an access line is: > ::= access to > [by [] [] ]+ > ::= * | > [dn[.]= | dn.=] > [filter=] [attrs=] > ::= regex | exact > ::= base | one | subtree | children > ::= [val[.]=] | , > ::= | entry | children > ::= * | [anonymous | users | self > | dn[.]= | dn.=] > [dnattr=] > [group[/[/][.]]=] > [peername[.]=] > [sockname[.]=] > [domain[.]=] > [sockurl[.]=] > [set=] > [aci=] > ::= [self]{|} > ::= none | disclose | auth | compare | search | read | write | manage > ::= {=|+|-}{m|w|r|s|c|x|d|0}+ > ::= [stop | continue | break] where the part selects the entries and/or attributes to which the access applies, the {{EX:}} part specifies which entities are granted access, and the {{EX:}} part specifies the access granted. Multiple {{EX: }} triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes. Not all of these access control options are described here; for more details see the {{slapd.access}}(5) man page. H3: What to control access to The part of an access specification determines the entries and attributes to which the access control applies. Entries are commonly selected in two ways: by DN and by filter. The following qualifiers select entries by DN: > to * > to dn[.]= > to dn.= The first form is used to select all entries. The second form may be used to select entries by matching a regular expression against the target entry's {{normalized DN}}. (The second form is not discussed further in this document.) The third form is used to select entries which are within the requested scope of DN. The is a string representation of the Distinguished Name, as described in {{REF:RFC4514}}. The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}}, or {{EX:children}}. Where {{EX:base}} matches only the entry with provided DN, {{EX:one}} matches the entries whose parent is the provided DN, {{EX:subtree}} matches all entries in the subtree whose root is the provided DN, and {{EX:children}} matches all entries under the DN (but not the entry named by the DN). For example, if the directory contained entries named: > 0: o=suffix > 1: cn=Manager,o=suffix > 2: ou=people,o=suffix > 3: uid=kdz,ou=people,o=suffix > 4: cn=addresses,uid=kdz,ou=people,o=suffix > 5: uid=hyc,ou=people,o=suffix \Then: . {{EX:dn.base="ou=people,o=suffix"}} match 2; . {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5; . {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and . {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5. Entries may also be selected using a filter: > to filter= where is a string representation of an LDAP search filter, as described in {{REF:RFC4515}}. For example: > to filter=(objectClass=person) Note that entries may be selected by both DN and filter by including both qualifiers in the clause. > to dn.one="ou=people,o=suffix" filter=(objectClass=person) Attributes within an entry are selected by including a comma-separated list of attribute names in the selector: > attrs= A specific value of an attribute is selected by using a single attribute name and also using a value selector: > attrs= val[.