OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Access Control : More information about Access Control :
Specifying the subject
<who> ::= [ * | anonymous | users | self | dn[.<style>]=<pattern> ]
[dnattr=<attrname>]
[group[/<objectclass>[/<attrname>][.<style>]]=<pattern>]
[peername[.<style>]=<pattern>] [sockname[.<style>]=<pattern>]
[domain[.<style>]=<pattern>] [sockurl[.<style>]=<pattern>]
[set=<setspec>]
[aci=<attrname>]
This is a complex definition, so lets go through it slowly. First we have a possible distinguished name specification. We are already acquainted with the wildcard * and dn=. As a matter of fact, the latter may also have a style as we saw for the target specification. The alternatives are the same but there is a new style exact that currently is synonymous with base. If the style is regex, variable substitution will take place, so the actual value used to match depends on the precise entry we are accessing TBC. The term self refers to a user who is bound as the target entry. The term users refers to users who have bound as some entry, while anonymous refers to users who have not bound at all or did a null bind.
The dnattr term allows to grant access based on data contained on the entry itself. Subjects matching this term are the values stored in the entry with attribute types described by the given attrname. This is typically used to give special owner permission where its identity is stored in attrname.
The group term selects those subjects listed in some other entry in the directory. The objectclass of the group entry must be <objectclass> (default: groupOfNames) and the list of subjects will be retrieved from attribute type <attrname> (default: member). The matching style is by default regex. In this case the value provided in <regex> gets its variables substituted and the result is used as the distinguished name of the entry that contains the list of subjects. If the style is exact instead, no variable substitution takes place and the value given is used as is to retrieve the list of subjects.
Terms <peername> and <sockname> refer to the remote side and the local side of the connection to the directory, respectively and are similar in syntax and is typically a string of the form IP=<ip-address>:<port>. We can use these terms to control access to the directory based on the IP address of the client, for instance. If the <style> is exact the indicated <regex> is used as a literal string that is compared case insensitively. If the <style> is regex (that is the default), variable substitution happens and comparison is a regex-match.
Term <domain> is used to select subjects connected from some DNS domain. If the <style> is exact the indicated <regex> is used as a literal string that is compared case insensitively. If the <style> is regex (that is the default), variable substitution happens and comparison is a regex-match. Find out what, if any, reverse checks are done and document/warn as appropriate
Term <sockurl> is used to select subjects according to the specific listener they used to connect. If the <style> is exact the indicated <regex> is used as a literal string that is compared case insensitively. If the <style> is regex (that is the default), variable substitution happens and comparison is a regex-match.
Term <set> is used to compare against dynamically generated sets of DNs, based on a pseudo-BNF; see below for details.
Term <aci> is only available if OpenLDAP was configured with --enable-aci. Specifies that access control to this entry is as specified in the values of the <attrname> attribute type.
That described more or less how to specify the subjects of access
control. When we have found an access clause that matches the entry
and a subject specification that matches the subject now we have to
do something about it. This is described in the next answer
jsanchez@openldap.org, ando@sys-net.it
ando@sys-net.it
Answers in this category:
Example of Group access
Sets in Access Controls
Sets as "reversed groups"