mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-12 10:54:48 +08:00
494 lines
12 KiB
Groff
494 lines
12 KiB
Groff
.TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
|
|
.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
|
|
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
|
|
.SH NAME
|
|
slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
|
|
.SH SYNOPSIS
|
|
ETCDIR/slapd.conf
|
|
.SH DESCRIPTION
|
|
The
|
|
.BR slapd.conf (5)
|
|
file contains configuration information for the
|
|
.BR slapd (8)
|
|
daemon. This configuration file is also used by the
|
|
.BR slurpd (8)
|
|
replication daemon and by the SLAPD tools
|
|
.BR slapadd (8),
|
|
.BR slapcat (8),
|
|
and
|
|
.BR slapindex (8).
|
|
.LP
|
|
The
|
|
.B slapd.conf
|
|
file consists of a series of global configuration options that apply to
|
|
.B slapd
|
|
as a whole (including all backends), followed by zero or more database
|
|
backend definitions that contain information specific to a backend
|
|
instance.
|
|
.LP
|
|
The general format of
|
|
.B slapd.conf
|
|
is as follows:
|
|
.LP
|
|
.nf
|
|
# comment - these options apply to every database
|
|
<global configuration options>
|
|
# first database definition & configuration options
|
|
database <backend 1 type>
|
|
<configuration options specific to backend 1>
|
|
# subsequent database definitions & configuration options
|
|
...
|
|
.fi
|
|
.LP
|
|
Both the global configuration and each backend-specific section can
|
|
contain access information. Backend-specific access control
|
|
directives are used for those entries that belong to the backend,
|
|
according to their naming context. In case no access control
|
|
directives are defined for a backend or those which are defined are
|
|
not applicable, the directives from the global configuration section
|
|
are then used.
|
|
.LP
|
|
For entries not held in any backend (such as a root DSE), the
|
|
directives of the first backend (and any global directives) are
|
|
used.
|
|
.LP
|
|
Arguments that should be replaced by actual text are shown in
|
|
brackets <>. The structure of the access control directives is
|
|
.TP
|
|
.B access to <what> "[ by <who> <access> [ <control> ] ]+"
|
|
Grant access (specified by
|
|
.BR <access> )
|
|
to a set of entries and/or attributes (specified by
|
|
.BR <what> )
|
|
by one or more requestors (specified by
|
|
.BR <who> ).
|
|
.LP
|
|
The field
|
|
.BR <what>
|
|
specifies the entity the access control directive applies to.
|
|
It can have the forms
|
|
.LP
|
|
.nf
|
|
*
|
|
[dn[.<dnstyle>]=<DN>]
|
|
[filter=<ldapfilter>]
|
|
[attrs=<attrlist>]
|
|
.fi
|
|
.LP
|
|
The wildcard
|
|
.B *
|
|
stands for all the entries.
|
|
.LP
|
|
The statement
|
|
.B dn=<DN>
|
|
selects the entries based on their naming context.
|
|
The pattern is a string representation of the entry's DN.
|
|
.BR base ,
|
|
the default,
|
|
or
|
|
.B exact
|
|
(an alias of
|
|
.BR base )
|
|
indicates the entry whose DN is equal to the pattern.
|
|
.B one
|
|
indicates all the entries immediately below the
|
|
.BR pattern ,
|
|
.B subtree
|
|
indicates all entries in the subtree at the pattern,
|
|
.B children
|
|
indicates all the entries below (subordinate to) the pattern.
|
|
.LP
|
|
If the
|
|
.B <dnstyle>
|
|
qualifier is
|
|
.BR regex ,
|
|
then the value is a regular expression pattern,
|
|
as detailed in
|
|
.BR regex (7),
|
|
matching a normalized string representation of the entry's DN.
|
|
The regex form of the pattern does not (yet) support UTF-8.
|
|
.LP
|
|
The statement
|
|
.B filter=<ldapfilter>
|
|
selects the entries based on a valid LDAP filter as described in RFC 2254.
|
|
.LP
|
|
The statement
|
|
.B attrs=<attrlist>
|
|
selects the attributes the access control rule applies to.
|
|
It is a comma-separated list of attribute types, plus the special names
|
|
.BR entry ,
|
|
indicating access to the entry itself, and
|
|
.BR children ,
|
|
indicating access to the entry's children. ObjectClass names may also
|
|
be specified in this list, which will affect all the attributes that
|
|
are required and/or allowed by that objectClass.
|
|
.LP
|
|
Using the form
|
|
.B attrs=<attr> val[.<style>]=<value>
|
|
specifies access to a particular value of a single attribute.
|
|
In this case, only a single attribute type may be given. A value
|
|
.B <style>
|
|
of
|
|
.B exact
|
|
(the default) uses the attribute's equality matching rule to compare the
|
|
value. If the
|
|
.B <style>
|
|
is
|
|
.BR regex ,
|
|
the provided value is used as a regular expression pattern.
|
|
.LP
|
|
The dn, filter, and attrs statements are additive; they can be used in sequence
|
|
to select entities the access rule applies to based on naming context,
|
|
value and attribute type simultaneously.
|
|
.LP
|
|
The field
|
|
.B <who>
|
|
indicates whom the access rules apply to.
|
|
Multiple
|
|
.B <who>
|
|
statements can appear in an access control statement, indicating the
|
|
different access privileges to the same resource that apply to different
|
|
accessee.
|
|
It can have the forms
|
|
.LP
|
|
.nf
|
|
*
|
|
anonymous
|
|
users
|
|
self
|
|
|
|
dn[.<dnstyle>[,<modifier>]]=<DN>
|
|
dnattr=<attrname>
|
|
group[/<objectclass>[/<attrname>]]
|
|
[.<style>]=<group>
|
|
peername[.<style>]=<peername>
|
|
sockname[.<style>]=<sockname>
|
|
domain[.<domainstyle>[,<modifier>]]=<domain>
|
|
sockurl[.<style>]=<sockurl>
|
|
set[.<style>]=<pattern>
|
|
|
|
ssf=<n>
|
|
transport_ssf=<n>
|
|
tls_ssf=<n>
|
|
sasl_ssf=<n>
|
|
|
|
aci=<attrname>
|
|
.fi
|
|
.LP
|
|
They may be specified in combination.
|
|
.LP
|
|
.nf
|
|
.fi
|
|
.LP
|
|
The wildcard
|
|
.B *
|
|
refers to everybody.
|
|
.LP
|
|
The keyword
|
|
.B anonymous
|
|
means access is granted to unauthenticated clients; it is mostly used
|
|
to limit access to authentication resources (e.g. the
|
|
.B userPassword
|
|
attribute) to unauthenticated clients for authentication purposes.
|
|
.LP
|
|
The keyword
|
|
.B users
|
|
means access is granted to authenticated clients.
|
|
.LP
|
|
The keyword
|
|
.B self
|
|
means access to an entry is allowed to the entry itself (e.g. the entry
|
|
being accessed and the requesting entry must be the same).
|
|
.LP
|
|
The statement
|
|
.B dn=<DN>
|
|
means that access is granted to the matching DN.
|
|
The optional style qualifier
|
|
.B dnstyle
|
|
allows the same choices of the dn form of the
|
|
.B <what>
|
|
field. In addition, the
|
|
.B regex
|
|
style can exploit substring substitution of submatches in the
|
|
.B <what>
|
|
dn.regex clause by using the form
|
|
.BR $<digit> ,
|
|
with
|
|
.B digit
|
|
ranging from 1 to 9.
|
|
.LP
|
|
The statement
|
|
.B dnattr=<attrname>
|
|
means that access is granted to requests whose DN is listed in the
|
|
entry being accessed under the
|
|
.B <attrname>
|
|
attribute.
|
|
.LP
|
|
The statement
|
|
.B group=<group>
|
|
means that access is granted to requests whose DN is listed
|
|
in the group entry whose DN is given by
|
|
.BR <group> .
|
|
The optional parameters
|
|
.B <objectclass>
|
|
and
|
|
.B <attrname>
|
|
define the objectClass and the member attributeType of the group entry.
|
|
The optional style qualifier
|
|
.B <style>
|
|
can be
|
|
.BR regex ,
|
|
which means that
|
|
.B <group>
|
|
will be expanded according to regex (7), and
|
|
.B base
|
|
or
|
|
.B exact
|
|
(an alias of
|
|
.BR base ),
|
|
which means that exact match will be used.
|
|
.LP
|
|
For static groups, the specified attributeType must have
|
|
.B DistinguishedName
|
|
or
|
|
.B NameAndOptionalUID
|
|
syntax. For dynamic groups the attributeType must
|
|
be a subtype of the
|
|
.B labeledURI
|
|
attributeType. Only LDAP URIs of the form
|
|
.B ldap:///<base>??<scope>?<filter>
|
|
will be evaluated in a dynamic group.
|
|
.LP
|
|
The statements
|
|
.BR peername=<peername> ,
|
|
.BR sockname=<sockname> ,
|
|
.BR domain=<domain> ,
|
|
and
|
|
.BR sockurl=<sockurl>
|
|
mean that the contacting host IP for
|
|
.BR peername ,
|
|
the named pipe file name for
|
|
.BR sockname ,
|
|
the contacting host name for
|
|
.BR domain ,
|
|
and the contacting URL for
|
|
.BR sockurl
|
|
are compared against
|
|
.B pattern
|
|
to determine access.
|
|
The same
|
|
.B style
|
|
rules for pattern match described for the
|
|
.B group
|
|
case apply.
|
|
The
|
|
.BR domain
|
|
clause also allows the
|
|
.B subtree
|
|
style, which succeeds when a fully qualified name exactly matches the
|
|
.BR domain
|
|
pattern, or its trailing part, after a
|
|
.BR dot ,
|
|
exactly matches the
|
|
.BR domain
|
|
pattern.
|
|
The
|
|
.B domain
|
|
of the contacting host is determined by performing a DNS reverse lookup.
|
|
As this lookup can easily be spoofed, use of the
|
|
.B domain
|
|
statement is strongly discouraged. By default, reverse lookups are disabled.
|
|
.LP
|
|
The statement
|
|
.B set=<pattern>
|
|
is undocumented yet.
|
|
.LP
|
|
The statement
|
|
.B aci=<attrname>
|
|
means that the access control is determined by the values in the
|
|
.B attrname
|
|
of the entry itself.
|
|
ACIs are experimental; they must be enabled at compile time.
|
|
.LP
|
|
The statements
|
|
.BR ssf=<n> ,
|
|
.BR transport_ssf=<n> ,
|
|
.BR tls_ssf=<n> ,
|
|
and
|
|
.BR sasl_ssf=<n>
|
|
set the required Security Strength Factor (ssf) required to grant access.
|
|
.LP
|
|
The field
|
|
.B <access> ::= [self]{<level>|<priv>}
|
|
determines the access level or the specific access privileges the
|
|
.B who
|
|
field will have.
|
|
Its component are defined as
|
|
.LP
|
|
.nf
|
|
<level> ::= none|auth|compare|search|read|write
|
|
<priv> ::= {=|+|-}{w|r|s|c|x}+
|
|
.fi
|
|
.LP
|
|
The modifier
|
|
.B self
|
|
allows special operations like having a certain access level or privilege
|
|
only in case the operation involves the name of the user that's requesting
|
|
the access.
|
|
It implies the user that requests access is bound.
|
|
An example is the
|
|
.B selfwrite
|
|
access to the member attribute of a group, which allows one to add/delete
|
|
its own DN from the member list of a group, without affecting other members.
|
|
.LP
|
|
The
|
|
.B level
|
|
access model relies on an incremental interpretation of the access
|
|
privileges.
|
|
The possible levels are
|
|
.BR none ,
|
|
.BR auth ,
|
|
.BR compare ,
|
|
.BR search ,
|
|
.BR read ,
|
|
and
|
|
.BR write .
|
|
Each access level implies all the preceding ones, thus
|
|
.B write
|
|
access will imply all accesses.
|
|
While
|
|
.B none
|
|
is trivial,
|
|
.B auth
|
|
access means that one is allowed access to an attribute to perform
|
|
authentication/authorization operations (e.g.
|
|
.BR bind )
|
|
with no other access.
|
|
This is useful to grant unauthenticated clients the least possible
|
|
access level to critical resources, like passwords.
|
|
.LP
|
|
The
|
|
.B priv
|
|
access model relies on the explicit setting of access privileges
|
|
for each clause.
|
|
The
|
|
.B =
|
|
sign resets previously defined accesses; as a consequence, the final
|
|
access privileges will be only those defined by the clause.
|
|
The
|
|
.B +
|
|
and
|
|
.B -
|
|
signs add/remove access privileges to the existing ones.
|
|
The privileges are
|
|
.B w
|
|
for write,
|
|
.B r
|
|
for read,
|
|
.B s
|
|
for search,
|
|
.B c
|
|
for compare, and
|
|
.B x
|
|
for authentication.
|
|
More than one privilege can be added in one statement.
|
|
.LP
|
|
The optional field
|
|
.B <control>
|
|
controls the flow of access rule application.
|
|
It can have the forms
|
|
.LP
|
|
.nf
|
|
stop
|
|
continue
|
|
break
|
|
.fi
|
|
.LP
|
|
where
|
|
.BR stop ,
|
|
the default, means access checking stops in case of match.
|
|
The other two forms are used to keep on processing access clauses.
|
|
In detail, the
|
|
.B continue
|
|
form allows for other
|
|
.B <who>
|
|
clauses in the same
|
|
.B <access>
|
|
clause to be considered, so that they may result in incrementally altering
|
|
the privileges, while the
|
|
.B break
|
|
form allows for other
|
|
.B <access>
|
|
clauses that match the same target to be processed.
|
|
Consider the (silly) example
|
|
.LP
|
|
.nf
|
|
access to dn.subtree="dc=example,dc=com" attrs=cn
|
|
by * =cs break
|
|
|
|
access to dn.subtree="ou=People,dc=example,dc=com"
|
|
by * +r
|
|
.fi
|
|
.LP
|
|
which allows search and compare privileges to everybody under
|
|
the "dc=example,dc=com" tree, with the second rule allowing
|
|
also read in the "ou=People" subtree,
|
|
or the (even more silly) example
|
|
.LP
|
|
.nf
|
|
access to dn.subtree="dc=example,dc=com" attrs=cn
|
|
by * =cs continue
|
|
by users +r
|
|
.fi
|
|
.LP
|
|
which grants everybody search and compare privileges, and adds read
|
|
privileges to authenticated clients.
|
|
.SH CAVEATS
|
|
It is strongly recommended to explicitly use the most appropriate
|
|
DN
|
|
.BR style ,
|
|
to avoid possible incorrect specifications of the access rules as well
|
|
as for performance (avoid unrequired regex matching when an exact
|
|
match suffices) reasons.
|
|
.LP
|
|
An adminisistrator might create a rule of the form:
|
|
.LP
|
|
.nf
|
|
access to dn.regex="dc=example,dc=com"
|
|
by ...
|
|
.fi
|
|
.LP
|
|
expecting it to match all entries in the subtree "dc=example,dc=com".
|
|
However, this rule actually matches any DN which contains anywhere
|
|
the substring "dc=example,dc=com". That is, the rule matches both
|
|
"uid=joe,dc=example,dc=com" and "dc=example,dc=com,uid=joe".
|
|
.LP
|
|
To match the desired subtree, the rule would be more precisely
|
|
written:
|
|
.LP
|
|
.nf
|
|
access to dn.regex="^(.+,)?dc=example,dc=com$$"
|
|
by ...
|
|
.fi
|
|
.LP
|
|
For performance reasons, it would be better to use the subtree style.
|
|
.LP
|
|
.nf
|
|
access to dn.subtree="dc=example,dc=com"
|
|
by ...
|
|
.fi
|
|
.LP
|
|
.SH FILES
|
|
.TP
|
|
ETCDIR/slapd.conf
|
|
default slapd configuration file
|
|
.SH SEE ALSO
|
|
.BR slapd (8),
|
|
.LP
|
|
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
|
|
.SH ACKNOWLEDGEMENTS
|
|
.B OpenLDAP
|
|
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
|
|
.B OpenLDAP
|
|
is derived from University of Michigan LDAP 3.3 Release.
|