3.7. Access Control Examples
The access control facility provided by the access directive is
quite powerful. This section shows some examples of it's use. First, some simple examples:
This access directive grants read access to everyone.
The following example shows the use of a regular expression to select the
entries by DN in two access directives where ordering is significant.
access to dn=".*, o=U of M, c=US"
by * search
access to dn=".*, c=US"
by * read
Read access is granted to entries under the c=US subtree, except for those
entries under the "o=U of M, c=US" subtree, to which search access is granted. No access
is granted to c=US as neither access directive matches this DN.If the order of these
access directives was reversed, the U-M-specific directive would never be matched, since
all U-M entries are also c=US entries.
Another way to implement the same access controls is:
access to dn.children="dc=example,dc=com"
by * search
access to dn.children="dc=com"
by * read
Read access is granted to entries under the dc=com subtree, except for those entries
under the dc=example,dc=com subtree, to which search access is granted. No access is granted
to dc=com as neither access directive matches this DN. If the order of these access directives
was reversed, the trailing directive would never be reached, since all entries under
dc=example,dc=com are also under dc=com entries.
Note: Also note that if no access to directive or no "by <who>" clause matches,
access is denied. That is, every access to directive ends with an implicit by * none clause
and every access list ends with an implicit access to * by * none directive.
The next example again shows the importance of ordering, both of the access
directives and the "by <who>" clauses. It also shows the use of an attribute selector
to grant access to a specific attribute and various <who> selectors.
access to dn.subtree="dc=example,dc=com" attr=homePhone
by self write
by dn.children=dc=example,dc=com" search
by peername=IP:10\..+ read
access to dn.subtree="dc=example,dc=com"
by self write
by dn.children="dc=example,dc=com" search
by anonymous auth
This example applies to entries in the "dc=example,dc=com" subtree. To all
attributes except homePhone, an entry can write to itself, entries under
example.com entries can search by them, anybody else has no access (implicit by * none)
excepting for authentication/authorization (which is always done anonymously). The
homePhone attribute is writable by the entry, searchable by entries under example.com,
readable by clients connecting from network 10, and otherwise not readable
(implicit by * none). All other access is denied by the implicit access to * by * none.
Sometimes it is useful to permit a particular DN to add or remove itself from
an attribute. For example, if you would like to create a group and allow people
to add and remove only their own DN from the member attribute, you could accomplish
it with an access directive like this:
access to attr=member,entry
by dnattr=member selfwrite
The dnattr <who> selector says that the access applies to entries listed
in the member attribute. The selfwrite access selector says that such members
can only add or delete their own DN from the attribute, not other values. The
addition of the entry attribute is required because access to the entry is
required to access any of the entry's attributes.
There's plenty of information about Access Control on the OpenLDAP
Administrator's Guide. Take a look at: Access Control
for more information about this subject.