1 # $OpenLDAP: pkg/openldap-guide/admin/access-control.sdf,v 1.3.2.2 2008/05/20 00:17:58 quanah Exp $
2 # Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
3 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
9 As the directory gets populated with more and more data of varying sensitivity,
10 controlling the kinds of access granted to the directory becomes more and more
11 critical. For instance, the directory may contain data of a confidential nature
12 that you may need to protect by contract or by law. Or, if using the directory
13 to control access to other services, inappropriate access to the directory may
14 create avenues of attack to your sites security that result in devastating
15 damage to your assets.
17 Access to your directory can be configured via two methods, the first using
18 {{SECT:The slapd Configuration File}} and the second using the {{slapd-config}}(5)
19 format ({{SECT:Configuring slapd}}).
21 The default access control policy is allow read by all clients. Regardless of
22 what access control policy is defined, the {{rootdn}} is always allowed full
23 rights (i.e. auth, search, compare, read and write) on everything and anything.
25 As a consequence, it's useless (and results in a performance penalty) to explicitly
26 list the {{rootdn}} among the {{<by>}} clauses.
28 The following sections will describe Access Control Lists in more details and
29 follow with some examples and recommendations.
31 H2: Access Control via Static Configuration
33 Access to entries and attributes is controlled by the
34 access configuration file directive. The general form of an
37 > <access directive> ::= access to <what>
38 > [by <who> [<access>] [<control>] ]+
40 > [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
41 > [filter=<ldapfilter>] [attrs=<attrlist>]
42 > <basic-style> ::= regex | exact
43 > <scope-style> ::= base | one | subtree | children
44 > <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
45 > <attr> ::= <attrname> | entry | children
46 > <who> ::= * | [anonymous | users | self
47 > | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
49 > [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
50 > [peername[.<basic-style>]=<regex>]
51 > [sockname[.<basic-style>]=<regex>]
52 > [domain[.<basic-style>]=<regex>]
53 > [sockurl[.<basic-style>]=<regex>]
56 > <access> ::= [self]{<level>|<priv>}
57 > <level> ::= none | disclose | auth | compare | search | read | write | manage
58 > <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
59 > <control> ::= [stop | continue | break]
61 where the <what> part selects the entries and/or attributes to which
62 the access applies, the {{EX:<who>}} part specifies which entities
63 are granted access, and the {{EX:<access>}} part specifies the
64 access granted. Multiple {{EX:<who> <access> <control>}} triplets
65 are supported, allowing many entities to be granted different access
66 to the same set of entries and attributes. Not all of these access
67 control options are described here; for more details see the
68 {{slapd.access}}(5) man page.
71 H3: What to control access to
73 The <what> part of an access specification determines the entries
74 and attributes to which the access control applies. Entries are
75 commonly selected in two ways: by DN and by filter. The following
76 qualifiers select entries by DN:
79 > to dn[.<basic-style>]=<regex>
80 > to dn.<scope-style>=<DN>
82 The first form is used to select all entries. The second form may
83 be used to select entries by matching a regular expression against
84 the target entry's {{normalized DN}}. (The second form is not
85 discussed further in this document.) The third form is used to
86 select entries which are within the requested scope of DN. The
87 <DN> is a string representation of the Distinguished Name, as
88 described in {{REF:RFC4514}}.
90 The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}},
91 or {{EX:children}}. Where {{EX:base}} matches only the entry with
92 provided DN, {{EX:one}} matches the entries whose parent is the
93 provided DN, {{EX:subtree}} matches all entries in the subtree whose
94 root is the provided DN, and {{EX:children}} matches all entries
95 under the DN (but not the entry named by the DN).
97 For example, if the directory contained entries named:
100 > 1: cn=Manager,o=suffix
101 > 2: ou=people,o=suffix
102 > 3: uid=kdz,ou=people,o=suffix
103 > 4: cn=addresses,uid=kdz,ou=people,o=suffix
104 > 5: uid=hyc,ou=people,o=suffix
107 . {{EX:dn.base="ou=people,o=suffix"}} match 2;
108 . {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5;
109 . {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and
110 . {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5.
113 Entries may also be selected using a filter:
115 > to filter=<ldap filter>
117 where <ldap filter> is a string representation of an LDAP
118 search filter, as described in {{REF:RFC4515}}. For example:
120 > to filter=(objectClass=person)
122 Note that entries may be selected by both DN and filter by
123 including both qualifiers in the <what> clause.
125 > to dn.one="ou=people,o=suffix" filter=(objectClass=person)
127 Attributes within an entry are selected by including a comma-separated
128 list of attribute names in the <what> selector:
130 > attrs=<attribute list>
132 A specific value of an attribute is selected by using a single
133 attribute name and also using a value selector:
135 > attrs=<attribute> val[.<style>]=<regex>
137 There are two special {{pseudo}} attributes {{EX:entry}} and
138 {{EX:children}}. To read (and hence return) a target entry, the
139 subject must have {{EX:read}} access to the target's {{entry}}
140 attribute. To perform a search, the subject must have
141 {{EX:search}} access to the search base's {{entry}} attribute.
142 To add or delete an entry, the subject must have
143 {{EX:write}} access to the entry's {{EX:entry}} attribute AND must
144 have {{EX:write}} access to the entry's parent's {{EX:children}}
145 attribute. To rename an entry, the subject must have {{EX:write}}
146 access to entry's {{EX:entry}} attribute AND have {{EX:write}}
147 access to both the old parent's and new parent's {{EX:children}}
148 attributes. The complete examples at the end of this section should
149 help clear things up.
151 Lastly, there is a special entry selector {{EX:"*"}} that is used to
152 select any entry. It is used when no other {{EX:<what>}}
153 selector has been provided. It's equivalent to "{{EX:dn=.*}}"
156 H3: Who to grant access to
158 The <who> part identifies the entity or entities being granted
159 access. Note that access is granted to "entities" not "entries."
160 The following table summarizes entity specifiers:
162 !block table; align=Center; coltags="EX,N"; \
163 title="Table 6.3: Access Entity Specifiers"
165 *|All, including anonymous and authenticated users
166 anonymous|Anonymous (non-authenticated) users
167 users|Authenticated users
168 self|User associated with target entry
169 dn[.<basic-style>]=<regex>|Users matching a regular expression
170 dn.<scope-style>=<DN>|Users within scope of a DN
173 The DN specifier behaves much like <what> clause DN specifiers.
175 Other control factors are also supported. For example, a {{EX:<who>}}
176 can be restricted by an entry listed in a DN-valued attribute in
177 the entry to which the access applies:
179 > dnattr=<dn-valued attribute name>
181 The dnattr specification is used to give access to an entry
182 whose DN is listed in an attribute of the entry (e.g., give
183 access to a group entry to whoever is listed as the owner of
186 Some factors may not be appropriate in all environments (or any).
187 For example, the domain factor relies on IP to domain name lookups.
188 As these can easily be spoofed, the domain factor should be avoided.
191 H3: The access to grant
193 The kind of <access> granted can be one of the following:
195 !block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
196 title="Table 6.4: Access Levels"
197 Level Privileges Description
199 disclose =d needed for information disclosure on error
200 auth =dx needed to authenticate (bind)
201 compare =cdx needed to compare
202 search =scdx needed to apply search filters
203 read =rscdx needed to read search results
204 write =wrscdx needed to modify/rename
205 manage =mwrscdx needed to manage
208 Each level implies all lower levels of access. So, for example,
209 granting someone {{EX:write}} access to an entry also grants them
210 {{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
211 {{EX:disclose}} access. However, one may use the privileges specifier
212 to grant specific permissions.
215 H3: Access Control Evaluation
217 When evaluating whether some requester should be given access to
218 an entry and/or attribute, slapd compares the entry and/or attribute
219 to the {{EX:<what>}} selectors given in the configuration file.
220 For each entry, access controls provided in the database which holds
221 the entry (or the first database if not held in any database) apply
222 first, followed by the global access directives. Within this
223 priority, access directives are examined in the order in which they
224 appear in the config file. Slapd stops with the first {{EX:<what>}}
225 selector that matches the entry and/or attribute. The corresponding
226 access directive is the one slapd will use to evaluate access.
228 Next, slapd compares the entity requesting access to the {{EX:<who>}}
229 selectors within the access directive selected above in the order
230 in which they appear. It stops with the first {{EX:<who>}} selector
231 that matches the requester. This determines the access the entity
232 requesting access has to the entry and/or attribute.
234 Finally, slapd compares the access granted in the selected
235 {{EX:<access>}} clause to the access requested by the client. If
236 it allows greater or equal access, access is granted. Otherwise,
239 The order of evaluation of access directives makes their placement
240 in the configuration file important. If one access directive is
241 more specific than another in terms of the entries it selects, it
242 should appear first in the config file. Similarly, if one {{EX:<who>}}
243 selector is more specific than another it should come first in the
244 access directive. The access control examples given below should
245 help make this clear.
249 H3: Access Control Examples
251 The access control facility described above is quite powerful. This
252 section shows some examples of its use for descriptive purposes.
256 > access to * by * read
258 This access directive grants read access to everyone.
265 This directive allows the user to modify their entry, allows anonymous
266 to authentication against these entries, and allows all others to
267 read these entries. Note that only the first {{EX:by <who>}} clause
268 which matches applies. Hence, the anonymous users are granted
269 {{EX:auth}}, not {{EX:read}}. The last clause could just as well
270 have been "{{EX:by users read}}".
272 It is often desirable to restrict operations based upon the level
273 of protection in place. The following shows how security strength
274 factors (SSF) can be used.
277 > by ssf=128 self write
278 > by ssf=64 anonymous auth
279 > by ssf=64 users read
281 This directive allows users to modify their own entries if security
282 protections have of strength 128 or better have been established,
283 allows authentication access to anonymous users, and read access
284 when 64 or better security protections have been established. If
285 client has not establish sufficient security protections, the
286 implicit {{EX:by * none}} clause would be applied.
288 The following example shows the use of a style specifiers to select
289 the entries by DN in two access directives where ordering is
292 > access to dn.children="dc=example,dc=com"
294 > access to dn.children="dc=com"
297 Read access is granted to entries under the {{EX:dc=com}} subtree,
298 except for those entries under the {{EX:dc=example,dc=com}} subtree,
299 to which search access is granted. No access is granted to
300 {{EX:dc=com}} as neither access directive matches this DN. If the
301 order of these access directives was reversed, the trailing directive
302 would never be reached, since all entries under {{EX:dc=example,dc=com}}
303 are also under {{EX:dc=com}} entries.
305 Also note that if no {{EX:access to}} directive matches or no {{EX:by
306 <who>}} clause, {{B:access is denied}}. That is, every {{EX:access
307 to}} directive ends with an implicit {{EX:by * none}} clause and
308 every access list ends with an implicit {{EX:access to * by * none}}
311 The next example again shows the importance of ordering, both of
312 the access directives and the {{EX:by <who>}} clauses. It also
313 shows the use of an attribute selector to grant access to a specific
314 attribute and various {{EX:<who>}} selectors.
316 > access to dn.subtree="dc=example,dc=com" attrs=homePhone
318 > by dn.children="dc=example,dc=com" search
319 > by peername.regex=IP:10\..+ read
320 > access to dn.subtree="dc=example,dc=com"
322 > by dn.children="dc=example,dc=com" search
325 This example applies to entries in the "{{EX:dc=example,dc=com}}"
326 subtree. To all attributes except {{EX:homePhone}}, an entry can
327 write to itself, entries under {{EX:example.com}} entries can search
328 by them, anybody else has no access (implicit {{EX:by * none}})
329 excepting for authentication/authorization (which is always done
330 anonymously). The {{EX:homePhone}} attribute is writable by the
331 entry, searchable by entries under {{EX:example.com}}, readable by
332 clients connecting from network 10, and otherwise not readable
333 (implicit {{EX:by * none}}). All other access is denied by the
334 implicit {{EX:access to * by * none}}.
336 Sometimes it is useful to permit a particular DN to add or
337 remove itself from an attribute. For example, if you would like to
338 create a group and allow people to add and remove only
339 their own DN from the member attribute, you could accomplish
340 it with an access directive like this:
342 > access to attrs=member,entry
343 > by dnattr=member selfwrite
345 The dnattr {{EX:<who>}} selector says that the access applies to
346 entries listed in the {{EX:member}} attribute. The {{EX:selfwrite}} access
347 selector says that such members can only add or delete their
348 own DN from the attribute, not other values. The addition of
349 the entry attribute is required because access to the entry is
350 required to access any of the entry's attributes.
353 For more details on how to use the {{EX:access}} directive,
354 consult the {{Advanced Access Control}} chapter.
358 H3: Configuration File Example
360 The following is an example configuration file, interspersed
361 with explanatory text. It defines two databases to handle
362 different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
363 database instances. The line numbers shown are provided for
364 reference only and are not included in the actual file. First, the
365 global configuration section:
367 E: 1. # example config file - global configuration section
368 E: 2. include /usr/local/etc/schema/core.schema
369 E: 3. referral ldap://root.openldap.org
370 E: 4. access to * by * read
372 Line 1 is a comment. Line 2 includes another config file
373 which contains {{core}} schema definitions.
374 The {{EX:referral}} directive on line 3
375 means that queries not local to one of the databases defined
376 below will be referred to the LDAP server running on the
377 standard port (389) at the host {{EX:root.openldap.org}}.
379 Line 4 is a global access control. It applies to all
380 entries (after any applicable database-specific access
383 The next section of the configuration file defines a BDB
384 backend that will handle queries for things in the
385 "dc=example,dc=com" portion of the tree. The
386 database is to be replicated to two slave slapds, one on
387 truelies, the other on judgmentday. Indices are to be
388 maintained for several attributes, and the {{EX:userPassword}}
389 attribute is to be protected from unauthorized access.
391 E: 5. # BDB definition for the example.com
393 E: 7. suffix "dc=example,dc=com"
394 E: 8. directory /usr/local/var/openldap-data
395 E: 9. rootdn "cn=Manager,dc=example,dc=com"
397 E: 11. # indexed attribute definitions
398 E: 12. index uid pres,eq
399 E: 13. index cn,sn,uid pres,eq,approx,sub
400 E: 14. index objectClass eq
401 E: 15. # database access control definitions
402 E: 16. access to attrs=userPassword
404 E: 18. by anonymous auth
405 E: 19. by dn.base="cn=Admin,dc=example,dc=com" write
409 E: 23. by dn.base="cn=Admin,dc=example,dc=com" write
412 Line 5 is a comment. The start of the database definition is marked
413 by the database keyword on line 6. Line 7 specifies the DN suffix
414 for queries to pass to this database. Line 8 specifies the directory
415 in which the database files will live.
417 Lines 9 and 10 identify the database {{super-user}} entry and associated
418 password. This entry is not subject to access control or size or
419 time limit restrictions.
421 Lines 12 through 14 indicate the indices to maintain for various
424 Lines 16 through 24 specify access control for entries in this
425 database. As this is the first database, the controls also apply
426 to entries not held in any database (such as the Root DSE). For
427 all applicable entries, the {{EX:userPassword}} attribute is writable
428 by the entry itself and by the "admin" entry. It may be used for
429 authentication/authorization purposes, but is otherwise not readable.
430 All other attributes are writable by the entry and the "admin"
431 entry, but may be read by all users (authenticated or not).
433 The next section of the example configuration file defines another
434 BDB database. This one handles queries involving the
435 {{EX:dc=example,dc=net}} subtree but is managed by the same entity
436 as the first database. Note that without line 39, the read access
437 would be allowed due to the global access rule at line 4.
439 E: 33. # BDB definition for example.net
441 E: 35. suffix "dc=example,dc=net"
442 E: 36. directory /usr/local/var/openldap-data-net
443 E: 37. rootdn "cn=Manager,dc=example,dc=com"
444 E: 38. index objectClass eq
445 E: 39. access to * by users read
447 H2: Access Control via Dynamic Configuration
449 Access to slapd entries and attributes is controlled by the
450 olcAccess attribute, whose values are a sequence of access directives.
451 The general form of the olcAccess configuration is:
453 > olcAccess: <access directive>
454 > <access directive> ::= to <what>
455 > [by <who> [<access>] [<control>] ]+
457 > [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
458 > [filter=<ldapfilter>] [attrs=<attrlist>]
459 > <basic-style> ::= regex | exact
460 > <scope-style> ::= base | one | subtree | children
461 > <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
462 > <attr> ::= <attrname> | entry | children
463 > <who> ::= * | [anonymous | users | self
464 > | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
465 > [dnattr=<attrname>]
466 > [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
467 > [peername[.<basic-style>]=<regex>]
468 > [sockname[.<basic-style>]=<regex>]
469 > [domain[.<basic-style>]=<regex>]
470 > [sockurl[.<basic-style>]=<regex>]
473 > <access> ::= [self]{<level>|<priv>}
474 > <level> ::= none | disclose | auth | compare | search | read | write | manage
475 > <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
476 > <control> ::= [stop | continue | break]
478 where the <what> part selects the entries and/or attributes to which
479 the access applies, the {{EX:<who>}} part specifies which entities
480 are granted access, and the {{EX:<access>}} part specifies the
481 access granted. Multiple {{EX:<who> <access> <control>}} triplets
482 are supported, allowing many entities to be granted different access
483 to the same set of entries and attributes. Not all of these access
484 control options are described here; for more details see the
485 {{slapd.access}}(5) man page.
488 H3: What to control access to
490 The <what> part of an access specification determines the entries
491 and attributes to which the access control applies. Entries are
492 commonly selected in two ways: by DN and by filter. The following
493 qualifiers select entries by DN:
496 > to dn[.<basic-style>]=<regex>
497 > to dn.<scope-style>=<DN>
499 The first form is used to select all entries. The second form may
500 be used to select entries by matching a regular expression against
501 the target entry's {{normalized DN}}. (The second form is not
502 discussed further in this document.) The third form is used to
503 select entries which are within the requested scope of DN. The
504 <DN> is a string representation of the Distinguished Name, as
505 described in {{REF:RFC4514}}.
507 The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}},
508 or {{EX:children}}. Where {{EX:base}} matches only the entry with
509 provided DN, {{EX:one}} matches the entries whose parent is the
510 provided DN, {{EX:subtree}} matches all entries in the subtree whose
511 root is the provided DN, and {{EX:children}} matches all entries
512 under the DN (but not the entry named by the DN).
514 For example, if the directory contained entries named:
517 > 1: cn=Manager,o=suffix
518 > 2: ou=people,o=suffix
519 > 3: uid=kdz,ou=people,o=suffix
520 > 4: cn=addresses,uid=kdz,ou=people,o=suffix
521 > 5: uid=hyc,ou=people,o=suffix
524 . {{EX:dn.base="ou=people,o=suffix"}} match 2;
525 . {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5;
526 . {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and
527 . {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5.
530 Entries may also be selected using a filter:
532 > to filter=<ldap filter>
534 where <ldap filter> is a string representation of an LDAP
535 search filter, as described in {{REF:RFC4515}}. For example:
537 > to filter=(objectClass=person)
539 Note that entries may be selected by both DN and filter by
540 including both qualifiers in the <what> clause.
542 > to dn.one="ou=people,o=suffix" filter=(objectClass=person)
544 Attributes within an entry are selected by including a comma-separated
545 list of attribute names in the <what> selector:
547 > attrs=<attribute list>
549 A specific value of an attribute is selected by using a single
550 attribute name and also using a value selector:
552 > attrs=<attribute> val[.<style>]=<regex>
554 There are two special {{pseudo}} attributes {{EX:entry}} and
555 {{EX:children}}. To read (and hence return) a target entry, the
556 subject must have {{EX:read}} access to the target's {{entry}}
557 attribute. To perform a search, the subject must have
558 {{EX:search}} access to the search base's {{entry}} attribute.
559 To add or delete an entry, the subject must have
560 {{EX:write}} access to the entry's {{EX:entry}} attribute AND must
561 have {{EX:write}} access to the entry's parent's {{EX:children}}
562 attribute. To rename an entry, the subject must have {{EX:write}}
563 access to entry's {{EX:entry}} attribute AND have {{EX:write}}
564 access to both the old parent's and new parent's {{EX:children}}
565 attributes. The complete examples at the end of this section should
566 help clear things up.
568 Lastly, there is a special entry selector {{EX:"*"}} that is used to
569 select any entry. It is used when no other {{EX:<what>}}
570 selector has been provided. It's equivalent to "{{EX:dn=.*}}"
573 H3: Who to grant access to
575 The <who> part identifies the entity or entities being granted
576 access. Note that access is granted to "entities" not "entries."
577 The following table summarizes entity specifiers:
579 !block table; align=Center; coltags="EX,N"; \
580 title="Table 5.3: Access Entity Specifiers"
582 *|All, including anonymous and authenticated users
583 anonymous|Anonymous (non-authenticated) users
584 users|Authenticated users
585 self|User associated with target entry
586 dn[.<basic-style>]=<regex>|Users matching a regular expression
587 dn.<scope-style>=<DN>|Users within scope of a DN
590 The DN specifier behaves much like <what> clause DN specifiers.
592 Other control factors are also supported. For example, a {{EX:<who>}}
593 can be restricted by an entry listed in a DN-valued attribute in
594 the entry to which the access applies:
596 > dnattr=<dn-valued attribute name>
598 The dnattr specification is used to give access to an entry
599 whose DN is listed in an attribute of the entry (e.g., give
600 access to a group entry to whoever is listed as the owner of
603 Some factors may not be appropriate in all environments (or any).
604 For example, the domain factor relies on IP to domain name lookups.
605 As these can easily be spoofed, the domain factor should be avoided.
608 H3: The access to grant
610 The kind of <access> granted can be one of the following:
612 !block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
613 title="Table 5.4: Access Levels"
614 Level Privileges Description
616 disclose =d needed for information disclosure on error
617 auth =dx needed to authenticate (bind)
618 compare =cdx needed to compare
619 search =scdx needed to apply search filters
620 read =rscdx needed to read search results
621 write =wrscdx needed to modify/rename
622 manage =mwrscdx needed to manage
625 Each level implies all lower levels of access. So, for example,
626 granting someone {{EX:write}} access to an entry also grants them
627 {{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
628 {{EX:disclose}} access. However, one may use the privileges specifier
629 to grant specific permissions.
632 H3: Access Control Evaluation
634 When evaluating whether some requester should be given access to
635 an entry and/or attribute, slapd compares the entry and/or attribute
636 to the {{EX:<what>}} selectors given in the configuration. For
637 each entry, access controls provided in the database which holds
638 the entry (or the first database if not held in any database) apply
639 first, followed by the global access directives (which are held in
640 the {{EX:frontend}} database definition). Within this priority,
641 access directives are examined in the order in which they appear
642 in the configuration attribute. Slapd stops with the first
643 {{EX:<what>}} selector that matches the entry and/or attribute. The
644 corresponding access directive is the one slapd will use to evaluate
647 Next, slapd compares the entity requesting access to the {{EX:<who>}}
648 selectors within the access directive selected above in the order
649 in which they appear. It stops with the first {{EX:<who>}} selector
650 that matches the requester. This determines the access the entity
651 requesting access has to the entry and/or attribute.
653 Finally, slapd compares the access granted in the selected
654 {{EX:<access>}} clause to the access requested by the client. If
655 it allows greater or equal access, access is granted. Otherwise,
658 The order of evaluation of access directives makes their placement
659 in the configuration file important. If one access directive is
660 more specific than another in terms of the entries it selects, it
661 should appear first in the configuration. Similarly, if one {{EX:<who>}}
662 selector is more specific than another it should come first in the
663 access directive. The access control examples given below should
664 help make this clear.
668 H3: Access Control Examples
670 The access control facility described above is quite powerful. This
671 section shows some examples of its use for descriptive purposes.
675 > olcAccess: to * by * read
677 This access directive grants read access to everyone.
684 This directive allows the user to modify their entry, allows anonymous
685 to authenticate against these entries, and allows all others to
686 read these entries. Note that only the first {{EX:by <who>}} clause
687 which matches applies. Hence, the anonymous users are granted
688 {{EX:auth}}, not {{EX:read}}. The last clause could just as well
689 have been "{{EX:by users read}}".
691 It is often desirable to restrict operations based upon the level
692 of protection in place. The following shows how security strength
693 factors (SSF) can be used.
696 > by ssf=128 self write
697 > by ssf=64 anonymous auth
698 > by ssf=64 users read
700 This directive allows users to modify their own entries if security
701 protections of strength 128 or better have been established,
702 allows authentication access to anonymous users, and read access
703 when strength 64 or better security protections have been established. If
704 the client has not establish sufficient security protections, the
705 implicit {{EX:by * none}} clause would be applied.
707 The following example shows the use of style specifiers to select
708 the entries by DN in two access directives where ordering is
711 > olcAccess: to dn.children="dc=example,dc=com"
713 > olcAccess: to dn.children="dc=com"
716 Read access is granted to entries under the {{EX:dc=com}} subtree,
717 except for those entries under the {{EX:dc=example,dc=com}} subtree,
718 to which search access is granted. No access is granted to
719 {{EX:dc=com}} as neither access directive matches this DN. If the
720 order of these access directives was reversed, the trailing directive
721 would never be reached, since all entries under {{EX:dc=example,dc=com}}
722 are also under {{EX:dc=com}} entries.
724 Also note that if no {{EX:olcAccess: to}} directive matches or no {{EX:by
725 <who>}} clause, {{B:access is denied}}. That is, every {{EX:olcAccess:
726 to}} directive ends with an implicit {{EX:by * none}} clause and
727 every access list ends with an implicit {{EX:olcAccess: to * by * none}}
730 The next example again shows the importance of ordering, both of
731 the access directives and the {{EX:by <who>}} clauses. It also
732 shows the use of an attribute selector to grant access to a specific
733 attribute and various {{EX:<who>}} selectors.
735 > olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
737 > by dn.children=dc=example,dc=com" search
738 > by peername.regex=IP:10\..+ read
739 > olcAccess: to dn.subtree="dc=example,dc=com"
741 > by dn.children="dc=example,dc=com" search
744 This example applies to entries in the "{{EX:dc=example,dc=com}}"
745 subtree. To all attributes except {{EX:homePhone}}, an entry can
746 write to itself, entries under {{EX:example.com}} entries can search
747 by them, anybody else has no access (implicit {{EX:by * none}})
748 excepting for authentication/authorization (which is always done
749 anonymously). The {{EX:homePhone}} attribute is writable by the
750 entry, searchable by entries under {{EX:example.com}}, readable by
751 clients connecting from network 10, and otherwise not readable
752 (implicit {{EX:by * none}}). All other access is denied by the
753 implicit {{EX:access to * by * none}}.
755 Sometimes it is useful to permit a particular DN to add or
756 remove itself from an attribute. For example, if you would like to
757 create a group and allow people to add and remove only
758 their own DN from the member attribute, you could accomplish
759 it with an access directive like this:
761 > olcAccess: to attrs=member,entry
762 > by dnattr=member selfwrite
764 The dnattr {{EX:<who>}} selector says that the access applies to
765 entries listed in the {{EX:member}} attribute. The {{EX:selfwrite}} access
766 selector says that such members can only add or delete their
767 own DN from the attribute, not other values. The addition of
768 the entry attribute is required because access to the entry is
769 required to access any of the entry's attributes.
773 H3: Access Control Ordering
775 Since the ordering of {{EX:olcAccess}} directives is essential to their
776 proper evaluation, but LDAP attributes normally do not preserve the
777 ordering of their values, OpenLDAP uses a custom schema extension to
778 maintain a fixed ordering of these values. This ordering is maintained
779 by prepending a {{EX:"{X}"}} numeric index to each value, similarly to
780 the approach used for ordering the configuration entries. These index
781 tags are maintained automatically by slapd and do not need to be specified
782 when originally defining the values. For example, when you create the
785 > olcAccess: to attrs=member,entry
786 > by dnattr=member selfwrite
787 > olcAccess: to dn.children="dc=example,dc=com"
789 > olcAccess: to dn.children="dc=com"
792 when you read them back using slapcat or ldapsearch they will contain
794 > olcAccess: {0}to attrs=member,entry
795 > by dnattr=member selfwrite
796 > olcAccess: {1}to dn.children="dc=example,dc=com"
798 > olcAccess: {2}to dn.children="dc=com"
801 The numeric index may be used to specify a particular value to change
802 when using ldapmodify to edit the access rules. This index can be used
803 instead of (or in addition to) the actual access value. Using this
804 numeric index is very helpful when multiple access rules are being managed.
806 For example, if we needed to change the second rule above to grant
807 write access instead of search, we could try this LDIF:
811 > olcAccess: to dn.children="dc=example,dc=com" by * search
814 > olcAccess: to dn.children="dc=example,dc=com" by * write
817 But this example {{B:will not}} guarantee that the existing values remain in
818 their original order, so it will most likely yield a broken security
819 configuration. Instead, the numeric index should be used:
826 > olcAccess: {1}to dn.children="dc=example,dc=com" by * write
829 This example deletes whatever rule is in value #1 of the {{EX:olcAccess}}
830 attribute (regardless of its value) and adds a new value that is
831 explicitly inserted as value #1. The result will be
833 > olcAccess: {0}to attrs=member,entry
834 > by dnattr=member selfwrite
835 > olcAccess: {1}to dn.children="dc=example,dc=com"
837 > olcAccess: {2}to dn.children="dc=com"
840 which is exactly what was intended.
843 For more details on how to use the {{EX:access}} directive,
844 consult the {{Advanced Access Control}} chapter.
848 H3: Configuration Example
850 The following is an example configuration, interspersed
851 with explanatory text. It defines two databases to handle
852 different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
853 database instances. The line numbers shown are provided for
854 reference only and are not included in the actual file. First, the
855 global configuration section:
857 E: 1. # example config file - global configuration entry
859 E: 3. objectClass: olcGlobal
861 E: 5. olcReferral: ldap://root.openldap.org
864 Line 1 is a comment. Lines 2-4 identify this as the global
866 The {{EX:olcReferral:}} directive on line 5
867 means that queries not local to one of the databases defined
868 below will be referred to the LDAP server running on the
869 standard port (389) at the host {{EX:root.openldap.org}}.
870 Line 6 is a blank line, indicating the end of this entry.
872 E: 7. # internal schema
873 E: 8. dn: cn=schema,cn=config
874 E: 9. objectClass: olcSchemaConfig
878 Line 7 is a comment. Lines 8-10 identify this as the root of
879 the schema subtree. The actual schema definitions in this entry
880 are hardcoded into slapd so no additional attributes are specified here.
881 Line 11 is a blank line, indicating the end of this entry.
883 E: 12. # include the core schema
884 E: 13. include: file:///usr/local/etc/openldap/schema/core.ldif
887 Line 12 is a comment. Line 13 is an LDIF include directive which
888 accesses the {{core}} schema definitions in LDIF format. Line 14
891 Next comes the database definitions. The first database is the
892 special {{EX:frontend}} database whose settings are applied globally
893 to all the other databases.
895 E: 15. # global database parameters
896 E: 16. dn: olcDatabase=frontend,cn=config
897 E: 17. objectClass: olcDatabaseConfig
898 E: 18. olcDatabase: frontend
899 E: 19. olcAccess: to * by * read
902 Line 15 is a comment. Lines 16-18 identify this entry as the global
903 database entry. Line 19 is a global access control. It applies to all
904 entries (after any applicable database-specific access controls).
906 The next entry defines a BDB backend that will handle queries for things
907 in the "dc=example,dc=com" portion of the tree. Indices are to be maintained
908 for several attributes, and the {{EX:userPassword}} attribute is to be
909 protected from unauthorized access.
911 E: 21. # BDB definition for example.com
912 E: 22. dn: olcDatabase=bdb,cn=config
913 E: 23. objectClass: olcDatabaseConfig
914 E: 24. objectClass: olcBdbConfig
915 E: 25. olcDatabase: bdb
916 E: 26. olcSuffix: "dc=example,dc=com"
917 E: 27. olcDbDirectory: /usr/local/var/openldap-data
918 E: 28. olcRootDN: "cn=Manager,dc=example,dc=com"
919 E: 29. olcRootPW: secret
920 E: 30. olcDbIndex: uid pres,eq
921 E: 31. olcDbIndex: cn,sn,uid pres,eq,approx,sub
922 E: 32. olcDbIndex: objectClass eq
923 E: 33. olcAccess: to attrs=userPassword
925 E: 35. by anonymous auth
926 E: 36. by dn.base="cn=Admin,dc=example,dc=com" write
928 E: 38. olcAccess: to *
930 E: 40. by dn.base="cn=Admin,dc=example,dc=com" write
934 Line 21 is a comment. Lines 22-25 identify this entry as a BDB database
935 configuration entry. Line 26 specifies the DN suffix
936 for queries to pass to this database. Line 27 specifies the directory
937 in which the database files will live.
939 Lines 28 and 29 identify the database {{super-user}} entry and associated
940 password. This entry is not subject to access control or size or
941 time limit restrictions.
943 Lines 30 through 32 indicate the indices to maintain for various
946 Lines 33 through 41 specify access control for entries in this
947 database. As this is the first database, the controls also apply
948 to entries not held in any database (such as the Root DSE). For
949 all applicable entries, the {{EX:userPassword}} attribute is writable
950 by the entry itself and by the "admin" entry. It may be used for
951 authentication/authorization purposes, but is otherwise not readable.
952 All other attributes are writable by the entry and the "admin"
953 entry, but may be read by all users (authenticated or not).
955 Line 42 is a blank line, indicating the end of this entry.
957 The next section of the example configuration file defines another
958 BDB database. This one handles queries involving the
959 {{EX:dc=example,dc=net}} subtree but is managed by the same entity
960 as the first database. Note that without line 52, the read access
961 would be allowed due to the global access rule at line 19.
963 E: 43. # BDB definition for example.net
964 E: 44. dn: olcDatabase=bdb,cn=config
965 E: 45. objectClass: olcDatabaseConfig
966 E: 46. objectClass: olcBdbConfig
967 E: 47. olcDatabase: bdb
968 E: 48. olcSuffix: "dc=example,dc=net"
969 E: 49. olcDbDirectory: /usr/local/var/openldap-data-net
970 E: 50. olcRootDN: "cn=Manager,dc=example,dc=com"
971 E: 51. olcDbIndex: objectClass eq
972 E: 52. olcAccess: to * by users read
975 H3: Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format
977 Discuss slap* -f slapd.conf -F slapd.d/ (man slapd-config)
980 H2: Access Control Common Examples
984 Generally one should start with some basic ACLs such as:
986 > access to attr=userPassword
997 The first ACL allows users to update (but not read) their passwords, anonymous
998 users to authenticate against this attribute, and (implicitly) denying all
1001 The second ACL allows users full access to their entry, authenticated users read
1002 access to anything, and (implicitly) denying all access to others (in this case,
1006 H3: Matching Anonymous and Authenticated users
1008 An anonymous user has a empty DN. While the {{dn.exact=""}} or {{dn.regex="^$"}}
1009 could be used, {{slapd}}(8)) offers an anonymous shorthand which should be
1016 denies all access to anonymous users while granting others read.
1018 Authenticated users have a subject DN. While {{dn.regex=".+"}} will match any
1019 authenticated user, OpenLDAP provides the users short hand which should be used
1026 This ACL grants read permissions to authenticated users while denying others
1027 (i.e.: anonymous users).
1030 H3: Controlling rootdn access
1032 You could specify the {{rootdn}} in {{slapd.conf}}(5) or {[slapd.d}} without
1033 specifying a {{rootpw}}. Then you have to add an actual directory entry with
1036 > dn: cn=Manager,o=MyOrganization
1039 > objectClass: person
1041 > userPassword: {SSHA}someSSHAdata
1043 Then binding as the {{rootdn}} will require a regular bind to that DN, which
1044 in turn requires auth access to that entry's DN and {{userPassword}}, and this
1045 can be restricted via ACLs. E.g.:
1047 > access to dn.base="cn=Manager,o=MyOrganization"
1048 > by peername.regex=127\.0\.0\.1 auth
1049 > by peername.regex=192\.168\.0\..* auth
1053 The ACLs above will only allow binding using rootdn from localhost and
1057 H3: Managing access with Groups
1059 There are a few ways to do this. One approach is illustrated here. Consider the
1060 following DIT layout:
1062 > +-dc=example,dc=com
1063 > +---cn=administrators,dc=example,dc=com
1064 > +---cn=fred blogs,dc=example,dc=com
1066 and the following group object (in LDIF format):
1068 > dn: cn=administrators,dc=example,dc=com
1069 > cn: administrators of this region
1070 > objectclass: groupOfNames (important for the group acl feature)
1071 > member: cn=fred blogs,dc=example,dc=com
1072 > member: cn=somebody else,dc=example,dc=com
1074 One can then grant access to the members of this this group by adding appropriate
1075 {{by group}} clause to an access directive in {{slapd.conf}}(5). For instance,
1077 > access to dn.children="dc=example,dc=com"
1079 > by group.exact="cn=Administrators,dc=example,dc=com" write
1082 Like by {[dn}} clauses, one can also use {{expand}} to expand the group name
1083 based upon the regular expression matching of the target, that is, the to {{dn.regex}}).
1086 > access to dn.regex="(.+,)?ou=People,(dc=[^,]+,dc=[^,]+)$"
1087 > attrs=children,entry,uid
1088 > by group.expand="cn=Managers,$2" write
1093 The above illustration assumed that the group members are to be found in the
1094 {{member}} attribute type of the {{groupOfNames}} object class. If you need to
1095 use a different group object and/or a different attribute type then use the
1096 following {{slapd.conf}}(5) (abbreviated) syntax:
1099 > by group/<objectclass>/<attributename>=<DN> <access>
1104 > by group/organizationalRole/roleOccupant="cn=Administrator,dc=example,dc=com" write
1106 In this case, we have an ObjectClass {{organizationalRole}} which contains the
1107 administrator DN's in the {{roleOccupant}} attribute. For instance:
1109 > dn: cn=Administrator,dc=example,dc=com
1111 > objectclass: organizationalRole
1112 > roleOccupant: cn=Jane Doe,dc=example,dc=com
1114 Note: the specified member attribute type MUST be of DN or {{NameAndOptionalUID}} syntax,
1115 and the specified object class SHOULD allow the attribute type.
1117 Dynamic Groups are also supported in Access Control. Please see {{slapo-dynlist}}(5)
1118 and the {{SECT:Dynamic Lists}} overlay section.
1121 H3: Granting access to a subset of attributes
1123 You can grant access to a set of attributes by specifying a list of attribute names
1124 in the ACL {{to}} clause. To be useful, you also need to grant access to the
1125 {{entry}} itself. Also note how {{children}} controls the ability to add, delete,
1128 > # mail: self may write, authenticated users may read
1129 > access to attrs=mail
1134 > # cn, sn: self my write, all may read
1135 > access to attrs=cn,sn
1139 > # immediate children: only self can add/delete entries under this entry
1140 > access to attrs=children
1143 > # entry itself: self may write, all may read
1144 > access to attrs=entry
1148 > # other attributes: self may write, others have no access
1153 ObjectClass names may also be specified in this list, which will affect
1154 all the attributes that are required and/or allowed by that {{objectClass}}.
1155 Actually, names in {{attrlist}} that are prefixed by {{@}} are directly treated
1156 as objectClass names. A name prefixed by {{!}} is also treated as an objectClass,
1157 but in this case the access rule affects the attributes that are not required
1158 nor allowed by that {{objectClass}}.
1161 H3: Allowing a user write to all entries below theirs
1163 For a setup where a user can write to its own record and to all of its children:
1165 > access to dn.regex="(.+,)?(uid=[^,]+,o=Company)$"
1166 > by dn.exact,expand="$2" write
1169 (Add more examples for above)
1172 H3: Allowing entry creation
1174 Let's say, you have it like this:
1178 > associatedDomain=<somedomain>
1181 > uid=<someotheruserid>
1187 and, for another domain <someotherdomain>:
1191 > associatedDomain=<someotherdomain>
1194 > uid=<someotheruserid>
1196 > uid=<someotheruserid>
1200 then, if you wanted user {{uid=<someuserid>}} to {{B:ONLY}} create an entry
1201 for its own thing, you could write an ACL like this:
1203 > # this rule lets users of "associatedDomain=<matcheddomain>"
1204 > # write under "ou=addressbook,associatedDomain=<matcheddomain>,ou=domains,o=<basedn>",
1205 > # i.e. a user can write ANY entry below its domain's address book;
1206 > # this permission is necessary, but not sufficient, the next
1207 > # will restrict this permission further
1210 > access to dn.regex="^ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$" attrs=children
1211 > by dn.regex="^uid=([^,]+),ou=users,associatedDomain=$1,ou=domains,o=<basedn>$$" write
1215 > # Note that above the "by" clause needs a "regex" style to make sure
1216 > # it expands to a DN that starts with a "uid=<someuserid>" pattern
1217 > # while substituting the associatedDomain submatch from the "what" clause.
1220 > # This rule lets a user with "uid=<matcheduid>" of "<associatedDomain=matcheddomain>"
1221 > # write (i.e. add, modify, delete) the entry whose DN is exactly
1222 > # "uid=<matcheduid>,ou=addressbook,associatedDomain=<matcheddomain>,ou=domains,o=<basedn>"
1223 > # and ANY entry as subtree of it
1226 > access to dn.regex="^(.+,)?uid=([^,]+),ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$"
1227 > by dn.exact,expand="uid=$2,ou=users,associatedDomain=$3,ou=domains,o=<basedn>" write
1231 > # Note that above the "by" clause uses the "exact" style with the "expand"
1232 > # modifier because now the whole pattern can be rebuilt by means of the
1233 > # submatches from the "what" clause, so a "regex" compilation and evaluation
1234 > # is no longer required.
1237 H3: Tips for using regular expressions in Access Control
1239 Always use {{dn.regex=<pattern>}} when you intend to use regular expression
1240 matching. {{dn=<pattern>}} alone defaults to {{dn.exact<pattern>}}.
1242 Use {{(.+)}} instead of {{(.*)}} when you want at least one char to be matched.
1243 {{(.*)}} matches the empty string as well.
1245 Don't use regular expressions for matches that can be done otherwise in a safer
1246 and cheaper manner. Examples:
1248 > dn.regex=".*dc=example,dc=com"
1250 is unsafe and expensive:
1252 * unsafe because any string containing {{dc=example,dc=com }}will match,
1253 not only those that end with the desired pattern; use {{.*dc=example,dc=com$}} instead.
1254 * unsafe also because it would allow any {{attributeType}} ending with {{dc}}
1255 as naming attribute for the first RDN in the string, e.g. a custom attributeType
1256 {{mydc}} would match as well. If you really need a regular expression that allows
1257 just {{dc=example,dc=com}} or any of its subtrees, use {{^(.+,)?dc=example,dc=com$}},
1258 which means: anything to the left of dc=..., if any (the question mark after the
1259 pattern within brackets), must end with a comma;
1260 * expensive because if you don't need submatches, you could use scoping styles, e.g.
1262 > dn.subtree="dc=example,dc=com"
1264 to include {{dc=example,dc=com}} in the matching patterns,
1266 > dn.children="dc=example,dc=com"
1268 to exclude {{dc=example,dc=com}} from the matching patterns, or
1270 > dn.onelevel="dc=example,dc=com"
1272 to allow exactly one sublevel matches only.
1274 Always use {{^}} and {{$}} in regexes, whenever appropriate, because
1275 {{ou=(.+),ou=(.+),ou=addressbooks,o=basedn}} will match
1276 {{something=bla,ou=xxx,ou=yyy,ou=addressbooks,o=basedn,ou=addressbooks,o=basedn,dc=some,dc=org}}
1278 Always use {{([^,]+)}} to indicate exactly one RDN, because {{(.+)}} can
1279 include any number of RDNs; e.g. {{ou=(.+),dc=example,dc=com}} will match
1280 {{ou=My,o=Org,dc=example,dc=com}}, which might not be what you want.
1282 Never add the rootdn to the by clauses. ACLs are not even processed for operations
1283 performed with rootdn identity (otherwise there would be no reason to define a
1286 Use shorthands. The user directive matches authenticated users and the anonymous
1287 directive matches anonymous users.
1289 Don't use the {{dn.regex}} form for <by> clauses if all you need is scoping
1290 and/or substring replacement; use scoping styles (e.g. {{exact}}, {{onelevel}},
1291 {{children}} or {{subtree}}) and the style modifier expand to cause substring expansion.
1295 > access to dn.regex=".+,dc=([^,]+),dc=([^,]+)$"
1296 > by dn.regex="^[^,],ou=Admin,dc=$1,dc=$2$$" write
1298 although correct, can be safely and efficiently replaced by
1300 > access to dn.regex=".+,(dc=[^,]+,dc=[^,]+)$"
1301 > by dn.onelevel,expand="ou=Admin,$1" write
1303 where the regex in the {{<what>}} clause is more compact, and the one in the {{<by>}}
1304 clause is replaced by a much more efficient scoping style of onelevel with substring expansion.
1307 H3: Granting and Denying access based on security strength factors (ssf)
1309 You can restrict access based on the security strength factor (SSF)
1311 > access to dn="cn=example,cn=edu"
1314 0 (zero) implies no protection,
1315 1 implies integrity protection only,
1316 56 DES or other weak ciphers,
1317 112 triple DES and other strong ciphers,
1318 128 RC4, Blowfish and other modern strong ciphers.
1320 Other possibilities:
1328 See {{slapd.conf}}(5) for information on {{ssf}}.
1331 H3: When things aren't working as expected
1333 Consider this example:
1344 You may think this will allow any user to login, to read everything and change
1345 his own data if he is logged in. But in this example only the login works and
1346 an ldapsearch returns no data. The Problem is that SLAPD goes through its access
1347 config line by line and stops as soon as it finds a match in the part of the
1348 access rule.(here: {{to *}})
1350 To get what we wanted the file has to read:
1357 The general rule is: "special access rules first, generic access rules last"
1359 See also {{slapd.access}}(8), loglevel 128 and {{slapacl}}(8) for debugging
1363 H2: Sets - Granting rights based on relationships
1365 Sets are best illustrated via examples. The following sections will present
1366 a few set ACL examples in order to facilitate their understanding.
1368 (Sets in Access Controls FAQ Entry: {{URL:http://www.openldap.org/faq/data/cache/1133.html}})
1370 Note: Sets are considered experimental.
1373 H3: Groups of Groups
1375 The OpenLDAP ACL for groups doesn't expand groups within groups, which are
1376 groups that have another group as a member. For example:
1378 > dn: cn=sudoadm,ou=group,dc=example,dc=com
1380 > objectClass: groupOfNames
1381 > member: uid=john,ou=people,dc=example,dc=com
1382 > member: cn=accountadm,ou=group,dc=example,dc=com
1384 > dn: cn=accountadm,ou=group,dc=example,dc=com
1386 > objectClass: groupOfNames
1387 > member: uid=mary,ou=people,dc=example,dc=com
1389 If we use standard group ACLs with the above entries and allow members of the
1390 {{F:sudoadm}} group to write somewhere, {{F:mary}} won't be included:
1392 > access to dn.subtree="ou=sudoers,dc=example,dc=com"
1393 > by group.exact="cn=sudoadm,ou=group,dc=example,dc=com" write
1396 With sets we can make the ACL be recursive and consider group within groups. So
1397 for each member that is a group, it is further expanded:
1399 > access to dn.subtree="ou=sudoers,dc=example,dc=com"
1400 > by set="[cn=sudoadm,ou=group,dc=example,dc=com]/member* & user" write
1403 This set ACL means: take the {{F:cn=sudoadm}} DN, check its {{F:member}}
1404 attribute(s) (where the "{{F:*}}" means recursively) and intersect the result
1405 with the authenticated user's DN. If the result is non-empty, the ACL is
1406 considered a match and write access is granted.
1408 The following drawing explains how this set is built:
1409 !import "set-recursivegroup.png"; align="center"; title="Building a recursive group"
1410 FT[align="Center"] Figure X.Y: Populating a recursive group set
1412 First we get the {{F:uid=john}} DN. This entry doesn't have a {{F:member}}
1413 attribute, so the expansion stops here. Now we get to {{F:cn=accountadm}}.
1414 This one does have a {{F:member}} attribute, which is {{F:uid=mary}}. The
1415 {{F:uid=mary}} entry, however, doesn't have member, so we stop here again. The
1418 > {"uid=john,ou=people,dc=example,dc=com","uid=mary,ou=people,dc=example,dc=com"} & user
1420 If the authenticated user's DN is any one of those two, write access is
1421 granted. So this set will include {{F:mary}} in the {{F:sudoadm}} group and she
1422 will be allowed the write access.
1424 H3: Group ACLs without DN syntax
1426 The traditional group ACLs, and even the previous example about recursive groups, require
1427 that the members are specified as DNs instead of just usernames.
1429 With sets, however, it's also possible to use simple names in group ACLs, as this example will
1432 Let's say we want to allow members of the {{F:sudoadm}} group to write to the
1433 {{F:ou=suders}} branch of our tree. But our group definition now is using {{F:memberUid}} for
1436 > dn: cn=sudoadm,ou=group,dc=example,dc=com
1438 > objectClass: posixGroup
1442 With this type of group, we can't use group ACLs. But with a set ACL we can
1443 grant the desired access:
1445 > access to dn.subtree="ou=sudoers,dc=example,dc=com"
1446 > by set="[cn=sudoadm,ou=group,dc=example,dc=com]/memberUid & user/uid" write
1449 We use a simple intersection where we compare the {{F:uid}} attribute
1450 of the connecting (and authenticated) user with the {{F:memberUid}} attributes
1451 of the group. If they match, the intersection is non-empty and the ACL will
1454 This drawing illustrates this set when the connecting user is authenticated as
1455 {{F:uid=john,ou=people,dc=example,dc=com}}:
1456 !import "set-memberUid.png"; align="center"; title="Sets with memberUid"
1457 FT[align="Center"] Figure X.Y: Sets with {{F:memberUid}}
1459 In this case, it's a match. If it were {{F:mary}} authenticating, however, she
1460 would be denied write access to {{F:ou=sudoers}} because her {{F:uid}}
1461 attribute is not listed in the group's {{F:memberUid}}.
1463 H3: Following references
1465 We will now show a quite powerful example of what can be done with sets. This
1466 example tends to make OpenLDAP administrators smile after they have understood
1467 it and its implications.
1469 Let's start with an user entry:
1471 > dn: uid=john,ou=people,dc=example,dc=com
1473 > objectClass: inetOrgPerson
1477 > manager: uid=mary,ou=people,dc=example,dc=com
1479 Writing an ACL to allow the manager to update some attributes is quite simple
1482 > access to dn.exact="uid=john,ou=people,dc=example,dc=com"
1483 > attrs=carLicense,homePhone,mobile,pager,telephoneNumber
1485 > by set="this/manager & user" write
1488 In that set, {{F:this}} expands to the entry being accessed, so that
1489 {{F:this/manager}} expands to {{F:uid=mary,ou=people,dc=example,dc=com}} when
1490 john's entry is accessed. If the manager herself is accessing John's entry,
1491 the ACL will match and write access to those attributes will be granted.
1493 So far, this same behavior can be obtained with the {{F:dnattr}} keyword. With
1494 sets, however, we can further enhance this ACL. Let's say we want to allow the
1495 secretary of the manager to also update these attributes. This is how we do it:
1497 > access to dn.exact="uid=john,ou=people,dc=example,dc=com"
1498 > attrs=carLicense,homePhone,mobile,pager,telephoneNumber
1500 > by set="this/manager & user" write
1501 > by set="this/manager/secretary & user" write
1504 Now we need a picture to help explain what is happening here (entries shortened
1507 !import "set-following-references.png"; align="center"; title="Sets jumping through entries"
1508 FT[align="Center"] Figure X.Y: Sets jumping through entries
1510 In this example, Jane is the secretary of Mary, which is the manager of John.
1511 This whole relationship is defined with the {{F:manager}} and {{F:secretary}}
1512 attributes, which are both of the distinguishedName syntax (i.e., full DNs).
1513 So, when the {{F:uid=john}} entry is being accessed, the
1514 {{F:this/manager/secretary}} set becomes
1515 {{F:{"uid=jane,ou=people,dc=example,dc=com"}}} (follow the references in the
1518 > this = [uid=john,ou=people,dc=example,dc=com]
1520 > [uid=john,ou=people,dc=example,dc=com]/manager = uid=mary,ou=people,dc=example,dc=com
1521 > this/manager/secretary = \
1522 > [uid=mary,ou=people,dc=example,dc=com]/secretary = uid=jane,ou=people,dc=example,dc=com
1524 The end result is that when Jane accesses John's entry, she will be granted
1525 write access to the specified attributes. Better yet, this will happen to any
1526 entry she accesses which has Mary as the manager.
1528 This is all cool and nice, but perhaps gives to much power to secretaries. Maybe we need to further
1529 restrict it. For example, let's only allow executive secretaries to have this power:
1531 > access to dn.exact="uid=john,ou=people,dc=example,dc=com"
1532 > attrs=carLicense,homePhone,mobile,pager,telephoneNumber
1534 > by set="this/manager & user" write
1535 > by set="this/manager/secretary &
1536 > [cn=executive,ou=group,dc=example,dc=com]/member* &
1540 It's almost the same ACL as before, but we now also require that the connecting user be a member
1541 of the (possibly nested) {{F:cn=executive}} group.