Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




3.7. Access Control Examples

The access control facility provided by the access directive is quite powerful. This section shows some examples of it's use. First, some simple examples:

access to * by * read 

This access directive grants read access to everyone.

The following example shows the use of a regular expression to select the entries by DN in two access directives where ordering is significant.

access to dn=".*, o=U of M, c=US" 
by * search 
access to dn=".*, c=US" 
by * read 

Read access is granted to entries under the c=US subtree, except for those entries under the "o=U of M, c=US" subtree, to which search access is granted. No access is granted to c=US as neither access directive matches this DN.If the order of these access directives was reversed, the U-M-specific directive would never be matched, since all U-M entries are also c=US entries.

Another way to implement the same access controls is:

access to dn.children="dc=example,dc=com"
	by * search
	access to dn.children="dc=com"
	by * read

Read access is granted to entries under the dc=com subtree, except for those entries under the dc=example,dc=com subtree, to which search access is granted. No access is granted to dc=com as neither access directive matches this DN. If the order of these access directives was reversed, the trailing directive would never be reached, since all entries under dc=example,dc=com are also under dc=com entries.

Note: Also note that if no access to directive or no "by <who>" clause matches, access is denied. That is, every access to directive ends with an implicit by * none clause and every access list ends with an implicit access to * by * none directive.

The next example again shows the importance of ordering, both of the access directives and the "by <who>" clauses. It also shows the use of an attribute selector to grant access to a specific attribute and various <who> selectors.

access to dn.subtree="dc=example,dc=com" attr=homePhone
	by self write
	by dn.children=dc=example,dc=com" search
	by peername=IP:10\..+ read
access to dn.subtree="dc=example,dc=com"
	by self write
	by dn.children="dc=example,dc=com" search
	by anonymous auth

This example applies to entries in the "dc=example,dc=com" subtree. To all attributes except homePhone, an entry can write to itself, entries under entries can search by them, anybody else has no access (implicit by * none) excepting for authentication/authorization (which is always done anonymously). The homePhone attribute is writable by the entry, searchable by entries under, readable by clients connecting from network 10, and otherwise not readable (implicit by * none). All other access is denied by the implicit access to * by * none.

Sometimes it is useful to permit a particular DN to add or remove itself from an attribute. For example, if you would like to create a group and allow people to add and remove only their own DN from the member attribute, you could accomplish it with an access directive like this:

access to attr=member,entry 
	by dnattr=member selfwrite 

The dnattr <who> selector says that the access applies to entries listed in the member attribute. The selfwrite access selector says that such members can only add or delete their own DN from the attribute, not other values. The addition of the entry attribute is required because access to the entry is required to access any of the entry's attributes.

There's plenty of information about Access Control on the OpenLDAP Administrator's Guide. Take a look at: Access Control for more information about this subject.

  Published under the terms of the GNU General Public License Design by Interspire