OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Access Control :
How do I control the structure of the DIT?When delegating the power to manage directory entries, you may need to control what sort of entries can be created in each part of the DIT. OpenLDAP does not implement DIT Structure Rules (RFC4512 section 4.1.7.1) but a similar effect can be achieved using access control lists.
For example, supposing you want to allow the creation of inetOrgPerson
objects under dc=people,dc=example,dc=org without allowing
other types. The ACL might look like this:
# Allow users and the delegated admin to change passwords
#
access to attrs="userPassword"
by dn.exact="uid=admin,dc=people,dc=example,dc=org" =w
by self =w
by * auth
# Allow the delegated admin to create entries under dc=people
#
access to dn.exact="dc=people,dc=example,dc=org"
attrs="children"
by dn.exact="uid=admin,dc=people,dc=example,dc=org" write
by * break
# We only want to allow the creation of inetOrgPerson objects
# and we do not want them to have any attributes apart from the
# standard ones for that objectclass
#
access to dn.onelevel="dc=people,dc=example,dc=org"
filter="(objectClass=inetOrgPerson)"
attrs="entry,@inetOrgPerson"
by dn.exact="uid=admin,dc=people,dc=example,dc=org" write
by * break
# default
access to * by * read
The ACL controls entry creation by only enabling write access to the "entry" pseudo-attribute when the object being created is a member of the objectClass inetOrgPerson.
It controls the attributes that can be added to the entry by only enabling write access to those attributes that are required or permitted by the inetOrgPerson class. This makes it much harder for the delegated admin to create entries that might bypass the security policy.
The ACL cannot completely control the use of auxiliary object classes: if this is important you should add a DIT Content Rule.
There is still a problem with control over new entries: the ACL requires that new entries are of type inetOrgPerson but it does not prevent them being members of a subclass, nor does it prevent the use of auxiliary classes. Versions of OpenLDAP before 2.4.13 do not check the individual attributes of entries being added, so it is still possible to create entries that are apparently blocked by the ACL.
For greater control over created entries you should set:
add_content_acl yes
For OpenLDAP 2.4.13+ this enables more detailed control over the attributes of created entries. It is strongly recommended.