ACLs
See http://www.openldap.org/doc/admin/slapdconfig.html#Access Control
Can restrict by:
- Distinguished Name
- Filter that matches some attributes
- Attributes
Can restrict with:
- Anonymous users
- Authenticated users
- Self - ie, user who owns the entry
- Distinguished name
- IP address or DNS entry
Access control priority:
- Local database
- Global rules
- Runs thru in order the rules appear in the config file
- First matching rule is used
Examples
access to attribute=userpassword
by dn="cn=Manager,dc=pisoftware,dc=com" write
by self write
by * read
access to dn="(.*,)?dc=pisoftware,dc=com" attr=homePhone
by self write
by dn="(.*,)?dc=pisoftware,dc=com" search
by domain=.*\.pisoftware\.com read
by anonymous auth
|