# $OpenLDAP$ # Copyright 1999-2009 The OpenLDAP Foundation, All Rights Reserved. # COPYING RESTRICTIONS APPLY, see COPYRIGHT. H1: Access Control H2: Introduction As the directory gets populated with more and more data of varying sensitivity, controlling the kinds of access granted to the directory becomes more and more critical. For instance, the directory may contain data of a confidential nature that you may need to protect by contract or by law. Or, if using the directory to control access to other services, inappropriate access to the directory may create avenues of attack to your sites security that result in devastating damage to your assets. Access to your directory can be configured via two methods, the first using {{SECT:The slapd Configuration File}} and the second using the {{slapd-config}}(5) format ({{SECT:Configuring slapd}}). The default access control policy is allow read by all clients. Regardless of what access control policy is defined, the {{rootdn}} is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything. As a consequence, it's useless (and results in a performance penalty) to explicitly list the {{rootdn}} among the {{}} clauses. The following sections will describe Access Control Lists in more details and follow with some examples and recommendations. H2: Access Control via Static Configuration Access to entries and attributes is controlled by the access configuration file directive. The general form of an access line is: > ::= access to > [by [] [] ]+ > ::= * | > [dn[.]= | dn.=] > [filter=] [attrs=] > ::= regex | exact > ::= base | one | subtree | children > ::= [val[.]=] | , > ::= | entry | children > ::= * | [anonymous | users | self > | dn[.]= | dn.=] > [dnattr=] > [group[/[/][.]]=] > [peername[.]=] > [sockname[.]=] > [domain[.]=] > [sockurl[.]=] > [set=] > [aci=] > ::= [self]{|} > ::= none | disclose | auth | compare | search | read | write | manage > ::= {=|+|-}{m|w|r|s|c|x|d|0}+ > ::= [stop | continue | break] where the part selects the entries and/or attributes to which the access applies, the {{EX:}} part specifies which entities are granted access, and the {{EX:}} part specifies the access granted. Multiple {{EX: }} triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes. Not all of these access control options are described here; for more details see the {{slapd.access}}(5) man page. H3: What to control access to The part of an access specification determines the entries and attributes to which the access control applies. Entries are commonly selected in two ways: by DN and by filter. The following qualifiers select entries by DN: > to * > to dn[.]= > to dn.= The first form is used to select all entries. The second form may be used to select entries by matching a regular expression against the target entry's {{normalized DN}}. (The second form is not discussed further in this document.) The third form is used to select entries which are within the requested scope of DN. The is a string representation of the Distinguished Name, as described in {{REF:RFC4514}}. The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}}, or {{EX:children}}. Where {{EX:base}} matches only the entry with provided DN, {{EX:one}} matches the entries whose parent is the provided DN, {{EX:subtree}} matches all entries in the subtree whose root is the provided DN, and {{EX:children}} matches all entries under the DN (but not the entry named by the DN). For example, if the directory contained entries named: > 0: o=suffix > 1: cn=Manager,o=suffix > 2: ou=people,o=suffix > 3: uid=kdz,ou=people,o=suffix > 4: cn=addresses,uid=kdz,ou=people,o=suffix > 5: uid=hyc,ou=people,o=suffix \Then: . {{EX:dn.base="ou=people,o=suffix"}} match 2; . {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5; . {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and . {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5. Entries may also be selected using a filter: > to filter= where is a string representation of an LDAP search filter, as described in {{REF:RFC4515}}. For example: > to filter=(objectClass=person) Note that entries may be selected by both DN and filter by including both qualifiers in the clause. > to dn.one="ou=people,o=suffix" filter=(objectClass=person) Attributes within an entry are selected by including a comma-separated list of attribute names in the selector: > attrs= A specific value of an attribute is selected by using a single attribute name and also using a value selector: > attrs= val[.