ACLs

See http://www.openldap.org/doc/admin/slapdconfig.html#Access Control

Can restrict by:
  • Distinguished Name
  • Filter that matches some attributes
  • Attributes
Can restrict with:
  • Anonymous users
  • Authenticated users
  • Self - ie, user who owns the entry
  • Distinguished name
  • IP address or DNS entry
Access control priority:
  • Local database
  • Global rules
  • Runs thru in order the rules appear in the config file
  • First matching rule is used

Examples

access to attribute=userpassword
        by dn="cn=Manager,dc=pisoftware,dc=com" write
        by self write
        by * read

access to dn="(.*,)?dc=pisoftware,dc=com" attr=homePhone
        by self write
        by dn="(.*,)?dc=pisoftware,dc=com" search
        by domain=.*\.pisoftware\.com read
        by anonymous auth