Access Control Instruction#

ACI is defined in directory entry:

dn: ...
...
aci: (target_rule)(version 3.0; acl "ACL_name"; permission_rule bind_rules;)

Target Rules#

Syntax:

keyword comparison_operator "expression"

Examples:

Description

Target Rule

Subtree

target = “ldap:///dc=example,dc=com

Wildcard

target = “ldap:///uid=*,dc=example,dc=com”

Specific attribute

targetattr = “userPassword”

Search filter

targetfilter = “(uid=*)”

See also:

Permissions#

Syntax:

permission (rights)

Examples:

Description

Permission

Granting rights

allow (search, read)

Denying rights

deny (write)

See also:

Bind Rules#

Syntax:

keyword comparison_operator "expression"

Examples:

Description

Bind Rule

Anonymous users

userdn = “ldap:///anyone

Authenticated users

userdn = “ldap:///all

Self

userdn = “ldap:///self

Children

userdn = “ldap:///parent

Specific user

userdn = “l dap:///uid=admin,ou=people,dc=example,dc=com”

User filter

userdn = “ldap:///ou=people,dc= example,dc=com??sub?(department=Engineering)”

Group members

groupdn = “l dap:///cn=admins,ou=groups,dc=example,dc=com”

Group filter

groupdn = “ldap:///ou=groups,dc= example,dc=com??sub?(department=Engineering)”

See also:

Configuring ACI#

$ ldapmodify -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: dc=example,dc=com
changetype: modify
replace: aci
aci: (target = "ldap:///dc=example,dc=com")(targetattr=objectClass||dc||ou||uid||cn||sn||givenName)(version 3.0; acl "Allow anyone to read and search basic attributes"; allow (search, read) userdn = "ldap:///anyone";)
aci: (target = "ldap:///dc=example,dc=com")(targetattr=*)(version 3.0; acl "Allow anyone to read and search itself"; allow (search, read) userdn = "ldap:///self";)
EOF

Instance ACIs#

dn: cn=ldbm database,cn=plugins,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";)

dn: cn=config
changetype: modify
add: aci
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";)

dn: ou=csusers,cn=config
changetype: modify
add: aci
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";)

dn: cn=tasks,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";)

Subsystem ACIs#

dn: {rootSuffix}
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "cert manager access v2"; allow (all) userdn = "ldap:///{dbuser}";)

dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";)

dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";)

dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";)

See Also#