(Category) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Access Control : (Category) More information about Access Control
Warning: This is an attempt at documenting the access control facilities in OpenLDAP 2.0. I wrote it precisely because I did not understand them. So I started reading the source and collecting comments from the mailing lists until I could get the general picture. But I am not sure I have understood the thing myself. So please, please, please, do fix anything I got wrong.

As the directory gets populated with more and more data of varying sensitivity, controlling the kinds of access granted to the directory becomes more and more critical. For instance, the directory may contain data of a confidential nature that you may need to protect by contract or by law. Or, if using the directory to control access to other services (using pam_ldap, Apache's auth_ldap, etc.), inappropriate access to the directory may create avenues of attack to your site's security that result in devastating damage to your assets.

So far, subverting the directory to get access to a site has not been a common method of attack, but it is only a matter of time before we start seeing attacks of this kind as directories become more of a common infrastructure. If you plan to use a directory with such sensitive information, it is imperative that you learn how to specify what others will be able to see or modify.

OpenLDAP 2.0 comes with a great many enhancements in the access control area. These many new features are currently poorly documented. This document is an attempt at documenting them and reflects my understanding from the code and comments in the mailing lists. However, I do not claim that what described here actually reflects what happens.

Versioning issues

Most of the following access-related FAQs were initially written by volunteers when moving from OpenLDAP 1.X to OpenLDAP 2.0. Many details changed from 2.0 to 2.1 and 2.2, so some of the answers may now be outdated. If you find answers that do not indicate the version they refer to, they might be outdated, so please use with care. Always refer to slapd.access(5) for the ultimate answer on any details concerning access control. Answers will be (slowly) reviewed, and the appropriateness of every detail for the supported versions (as of the time of this writing, 2.1 and 2.2) will be highlighted. Thanks to those who will cooperate by posting new answers or by fixing existing ones.

List of known versioning issues

  • default dnstyle changed from regex in 2.1 to exact in 2.2.
  • default peerstyle changed from regex in 2.1 to exact in 2.2.
  • peername value in 2.2 is made of either "IP=<ip>:<port>" or "PATH=<path>"; specific ip and path styles have been added in 2.2.
  • groupstyle does not allow regex any more in 2.2; it has been replaced by expand.


Answers in this category:
(Answer) Two access control configuration methods
(Answer) Static configuration: general format
(Answer) Specifying the target
(Category) Specifying the subject
(Answer) Rights and privileges
(Answer) Controls or what to do after a match

[New Answer in "More information about Access Control"]
Next: (Category) Access control customization
This document is: http://www.openldap.org/faq/index.cgi?file=447
[Search] [Appearance] [Show This Entire Category]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org