The access control facility provided by the access directive is quite powerful. This section shows some examples of it's use. First, some simple examples:
access to * by * read |
This access directive grants read access to everyone.
The following example shows the use of a regular expression to select the entries by DN in two access directives where ordering is significant.
access to dn=".*, o=U of M, c=US" by * search access to dn=".*, c=US" by * read |
Read access is granted to entries under the c=US subtree, except for those entries under the "o=U of M, c=US" subtree, to which search access is granted. No access is granted to c=US as neither access directive matches this DN.If the order of these access directives was reversed, the U-M-specific directive would never be matched, since all U-M entries are also c=US entries.
Another way to implement the same access controls is:
access to dn.children="dc=example,dc=com" by * search access to dn.children="dc=com" by * read |
Read access is granted to entries under the dc=com subtree, except for those entries under the dc=example,dc=com subtree, to which search access is granted. No access is granted to dc=com as neither access directive matches this DN. If the order of these access directives was reversed, the trailing directive would never be reached, since all entries under dc=example,dc=com are also under dc=com entries.
Note: Also note that if no access to directive or no "by <who>" clause matches, access is denied. That is, every access to directive ends with an implicit by * none clause and every access list ends with an implicit access to * by * none directive.
The next example again shows the importance of ordering, both of the access directives and the "by <who>" clauses. It also shows the use of an attribute selector to grant access to a specific attribute and various <who> selectors.
access to dn.subtree="dc=example,dc=com" attr=homePhone by self write by dn.children=dc=example,dc=com" search by peername=IP:10\..+ read access to dn.subtree="dc=example,dc=com" by self write by dn.children="dc=example,dc=com" search by anonymous auth |
This example applies to entries in the "dc=example,dc=com" subtree. To all attributes except homePhone, an entry can write to itself, entries under example.com entries can search by them, anybody else has no access (implicit by * none) excepting for authentication/authorization (which is always done anonymously). The homePhone attribute is writable by the entry, searchable by entries under example.com, readable by clients connecting from network 10, and otherwise not readable (implicit by * none). All other access is denied by the implicit access to * by * none.
Sometimes it is useful to permit a particular DN to add or remove itself from an attribute. For example, if you would like to create a group and allow people to add and remove only their own DN from the member attribute, you could accomplish it with an access directive like this:
access to attr=member,entry by dnattr=member selfwrite |
The dnattr <who> selector says that the access applies to entries listed in the member attribute. The selfwrite access selector says that such members can only add or delete their own DN from the attribute, not other values. The addition of the entry attribute is required because access to the entry is required to access any of the entry's attributes.
There's plenty of information about Access Control on the OpenLDAP Administrator's Guide. Take a look at: Access Control for more information about this subject.