slapd.access.5

ldap服务器源码

The special
.B ip
style interprets the pattern as 
.BR <peername>=<ip>[%<mask>][{<n>}] ,
where
.B <ip>
and 
.B <mask>
are dotted digit representations of the IP and the mask, while
.BR <n> ,
delimited by curly brackets, is an optional port.
When checking access privileges, the IP portion of the
.BR peername 
is extracted, eliminating the
.B "IP="
prefix and the
.B ":<port>"
part, and it is compared against the
.B <ip>
portion of the pattern after masking with
.BR <mask> .
As an example, 
.B peername.ip=127.0.0.1
allows connections only from localhost,
.B peername.ip=192.168.1.0%255.255.255.0 
allows connections from any IP in the 192.168.1 class C domain, and
.B peername.ip=192.168.1.16%255.255.255.240{9009}
allows connections from any IP in the 192.168.1.[16-31] range 
of the same domain, only if port 9009 is used.
The special 
.B path
style eliminates the 
.B "PATH="
prefix from the 
.B peername
when connecting through a named pipe, and performs an exact match 
on the given pattern.
The
.BR <domain>
clause also allows the
.B subtree
style, which succeeds when a fully qualified name exactly matches the
.BR domain
pattern, or its trailing part, after a 
.BR dot ,
exactly matches the 
.BR domain
pattern.
The 
.B expand
style is allowed, implying an
.B exact 
match with submatch expansion; the use of 
.B expand 
as a style modifier is considered more appropriate.
As an example,
.B domain.subtree=example.com
will match www.example.com, but will not match www.anotherexample.com.
The
.B domain
of the contacting host is determined by performing a DNS reverse lookup.
As this lookup can easily be spoofed, use of the
.B domain
statement is strongly discouraged.  By default, reverse lookups are disabled.
The optional
.B domainstyle
qualifier of the
.B <domain>
clause allows a
.B modifier
option; the only value currently supported is
.BR expand ,
which causes substring substitution of submatches to take place even if
the 
.B domainstyle
is not 
.BR regex ,
much like the analogous usage in 
.B <dn>
clause.
.LP
The statement
.B set=<pattern>
is undocumented yet.
.LP
The statement
.B aci[=<attrname>]
means that the access control is determined by the values in the
.B attrname
of the entry itself.
The optional
.B <attrname>
indicates what attributeType holds the ACI information in the entry.
By default, the 
.B OpenLDAPaci
operational attribute is used.
ACIs are experimental; they must be enabled at compile time.
.LP
The statement
.B dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]
means that access checking is delegated to the admin-defined method
indicated by
.BR <name> ,
which can be registered at run-time by means of the
.B moduleload
statement.
The fields
.BR <options> ,
.B <dynstyle>
and
.B <pattern>
are optional, and are directly passed to the registered parsing routine.
Dynacl is experimental; it must be enabled at compile time.
If dynacl and ACIs are both enabled, ACIs are cast into the dynacl scheme,
where 
.B <name>=aci
and, optionally,
.BR <patten>=<attrname> .
However, the original ACI syntax is preserved for backward compatibility.
.LP
The statements
.BR ssf=<n> ,
.BR transport_ssf=<n> ,
.BR tls_ssf=<n> ,
and
.BR sasl_ssf=<n>
set the minimum required Security Strength Factor (ssf) needed
to grant access.  The value should be positive integer.
.SH THE <ACCESS> FIELD
The field
.B <access> ::= [[real]self]{<level>|<priv>}
determines the access level or the specific access privileges the
.B who 
field will have.
Its component are defined as
.LP
.nf
	<level> ::= none|disclose|auth|compare|search|read|write
	<priv> ::= {=|+|-}{w|r|s|c|x|d|0}+
.fi
.LP
The modifier
.B self
allows special operations like having a certain access level or privilege
only in case the operation involves the name of the user that's requesting
the access.
It implies the user that requests access is authorized.
The modifier
.B realself
refers to the authenticated DN as opposed to the authorized DN of the
.B self
modifier.
An example is the
.B selfwrite
access to the member attribute of a group, which allows one to add/delete
its own DN from the member list of a group, without affecting other members.
.LP
The 
.B level 
access model relies on an incremental interpretation of the access
privileges.
The possible levels are
.BR none ,
.BR disclose ,
.BR auth ,
.BR compare ,
.BR search ,
.BR read ,
and
.BR write .
Each access level implies all the preceding ones, thus 
.B write
access will imply all accesses.
.LP
The
.B none 
access level disallows all access including disclosure on error.
.LP
The
.B disclose
access level allows disclosure of information on error.
.LP
The 
.B auth
access level means that one is allowed access to an attribute to perform
authentication/authorization operations (e.g.
.BR bind )
with no other access.
This is useful to grant unauthenticated clients the least possible 
access level to critical resources, like passwords.
.LP
The
.B priv
access model relies on the explicit setting of access privileges
for each clause.
The
.B =
sign resets previously defined accesses; as a consequence, the final 
access privileges will be only those defined by the clause.
The 
.B +
and
.B -
signs add/remove access privileges to the existing ones.
The privileges are
.B w
for write,
.B r
for read,
.B s 
for search,
.B c 
for compare,
.B x
for authentication, and
.B d
for disclose.
More than one of the above privileges can be added in one statement.
.B 0
indicates no privileges and is used only by itself (e.g., +0).
If no access is given, it defaults to 
.BR +0 .
.SH THE <CONTROL> FIELD
The optional field
.B <control>
controls the flow of access rule application.
It can have the forms
.LP
.nf
	stop
	continue
	break
.fi
.LP
where
.BR stop ,
the default, means access checking stops in case of match.
The other two forms are used to keep on processing access clauses.
In detail, the
.B continue
form allows for other 
.B <who>
clauses in the same 
.B <access>
clause to be considered, so that they may result in incrementally altering
the privileges, while the
.B break
form allows for other
.B <access>
clauses that match the same target to be processed.
Consider the (silly) example
.LP
.nf
	access to dn.subtree="dc=example,dc=com" attrs=cn
		by * =cs break

	access to dn.subtree="ou=People,dc=example,dc=com"
		by * +r
.fi
.LP
which allows search and compare privileges to everybody under
the "dc=example,dc=com" tree, with the second rule allowing
also read in the "ou=People" subtree,
or the (even more silly) example
.LP
.nf
	access to dn.subtree="dc=example,dc=com" attrs=cn
		by * =cs continue
		by users +r
.fi
.LP
which grants everybody search and compare privileges, and adds read
privileges to authenticated clients.
.LP
One useful application is to easily grant write privileges to an
.B updatedn
that is different from the
.BR rootdn .
In this case, since the
.B updatedn
needs write access to (almost) all data, one can use
.LP
.nf
	access to *
		by dn.exact="cn=The Update DN,dc=example,dc=com" write
		by * break
.fi
.LP
as the first access rule.
As a consequence, unless the operation is performed with the 
.B updatedn
identity, control is passed straight to the subsequent rules.

.SH OPERATION REQUIREMENTS
Operations require different privileges on different portions of entries.
The following summary applies to primary database backends such as
the BDB and HDB backends.   Requirements for other backends may
(and often do) differ.

.LP
The
.B add
operation requires
.B write (=w)
privileges on the pseudo-attribute 
.B entry
of the entry being added, and 
.B write (=w)
privileges on the pseudo-attribute
.B children
of the entry's parent.
When adding the suffix entry of a database, write access to
.B children
of the empty DN ("") is required.

.LP
The 
.B bind
operation, when credentials are stored in the directory, requires 
.B auth (=x)
privileges on the attribute the credentials are stored in (usually
.BR userPassword ).

.LP
The
.B compare
operation requires 
.B compare (=c)
privileges on the attribute that is being compared.

.LP
The
.B delete
operation requires
.B write (=w)
privileges on the pseudo-attribute
.B entry 
of the entry being deleted, and
.B write (=w)
privileges on the
.B children
pseudo-attribute of the entry's parent.

.LP
The
.B modify
operation requires 
.B write (=w)
privileges on the attributes being modified.

.LP
The
.B modrdn
operation requires
.B write (=w)
privileges on the pseudo-attribute
.B entry
of the entry whose relative DN is being modified,
.B write (=w)
privileges on the pseudo-attribute
.B children
of the old and new entry's parents, and
.B write (=w)
privileges on the attributes that are present in the new relative DN.
.B Write (=w)
privileges are also required on the attributes that are present 
in the old relative DN if 
.B deleteoldrdn
is set to 1.

.LP
The
.B search
operation, requires 
.B search (=s)
privileges on the 
.B entry
pseudo-attribute of the searchBase (NOTE: this was introduced with 2.3).
Then, for each entry, it requires
.B search (=s)
privileges on the attributes that are defined in the filter.
The resulting entries are finally tested for 
.B read (=r)
privileges on the pseudo-attribute
.B entry
(for read access to the entry itself)
and for
.B read (=r)
access on each value of each attribute that is requested.
Also, for each
.B referral
object used in generating continuation references, the operation requires
.B read (=r)
access on the pseudo-attribute
.B entry
(for read access to the referral object itself),
as well as
.B read (=r)
access to the attribute holding the referral information
(generally the
.B ref
attribute).

.LP
Some internal operations and some
.B controls
require specific access privileges.
The
.B authzID
mapping and the 
.B proxyAuthz
control require
.B auth (=x)
privileges on all the attributes that are present in the search filter
of the URI regexp maps (the right-hand side of the
.B authz-regexp
directives).
.B Auth (=x)
privileges are also required on the
.B authzTo
attribute of the authorizing identity and/or on the 
.B authzFrom
attribute of the authorized identity.

.LP
Access control to search entries is checked by the frontend,
so it is fully honored by all backends; for all other operations
and for the discovery phase of the search operation,
full ACL semantics is only supported by the primary backends, i.e.
.BR back-bdb (5),
and
.BR back-hdb (5).

Some other backend, like
.BR back-sql (5),
may fully support them; others may only support a portion of the 
described semantics, or even differ in some aspects.
The relevant details are described in the backend-specific man pages.

.SH CAVEATS
It is strongly recommended to explicitly use the most appropriate
.B <dnstyle>
in
.B <what>
and
.B <who>
clauses, to avoid possible incorrect specifications of the access rules 
as well as for performance (avoid unnecessary regex matching when an exact
match suffices) reasons.
.LP
An administrator might create a rule of the form:
.LP
.nf
	access to dn.regex="dc=example,dc=com"
		by ...
.fi
.LP
expecting it to match all entries in the subtree "dc=example,dc=com".
However, this rule actually matches any DN which contains anywhere
the substring "dc=example,dc=com".  That is, the rule matches both
"uid=joe,dc=example,dc=com" and "dc=example,dc=com,uid=joe".
.LP
To match the desired subtree, the rule would be more precisely
written:
.LP
.nf
	access to dn.regex="^(.+,)?dc=example,dc=com$"
		by ...
.fi
.LP
For performance reasons, it would be better to use the subtree style.
.LP
.nf
	access to dn.subtree="dc=example,dc=com"
		by ...
.fi
.LP
When writing submatch rules, it may be convenient to avoid unnecessary
.B regex
.B <dnstyle>
use; for instance, to allow access to the subtree of the user 
that matches the
.B <what>
clause, one could use
.LP
.nf
	access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$"
		by dn.regex="^uid=$2,dc=example,dc=com$$" write
		by ...
.fi
.LP
However, since all that is required in the 
.B <by>
clause is substring expansion, a more efficient solution is
.LP
.nf
	access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$"
		by dn.exact,expand="uid=$2,dc=example,dc=com" write
		by ...
.fi
.LP
In fact, while a
.B <dnstyle>
of
.B regex
implies substring expansion, 
.BR exact ,
as well as all the other DN specific
.B <dnstyle>
values, does not, so it must be explicitly requested.
.LP
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
.BR slapd (8),
.BR slapd-* (5),
.BR slapacl (8),
.BR regex (7),
.BR re_format (7)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
.B OpenLDAP
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
.B OpenLDAP
is derived from University of Michigan LDAP 3.3 Release.