The LDAP configuration file

Access control examples

The access control facility described in ``Evaluating access control'' is quite powerful. This topic shows some examples of its use. First, some simple examples:

   access to  by  read

This access directive grants read access to everyone. If it appears alone it is the same as the following defaultaccess line:

   defaultaccess read

The following example shows the use of a regular expression to select the entries by DN in two access directives where ordering is significant:

   access to dn="., o=Antbear, Lucid & Popp, c=US"
       by  search
   access to dn="., c=US"
       by  read

Read access is granted to entries under the ``c=US'' subtree, except for those entries under the ``o=Antbear, Lucid & Popp, c=US'' subtree, to which search access is granted. If the order of these access directives was reversed, the company name-specific directive would never be matched, since all company name entries are also ``c=US'' entries.

The next example again shows the importance of ordering, both of the access directives and the ``by'' clauses. It also shows the use of an attribute selector to grant access to a specific attribute and various who selectors.

   access to dn="., o=Antbear, Lucid & Popp, c=US" attr=homePhone
       by self                        write
       by dn="., o=Antbear, Lucid & Popp, c=US"     search
       by domain=..antbear.com       read
       by                            compare
   access to dn="., o=Antbear, Lucid & Popp, c=US"
       by self                        write
       by dn="., o=Antbear, Lucid & Popp, c=US"     search
       by                            none

This example applies to entries in the ``o=Antbear, Lucid & Popp, c=US'' subtree. To all attributes except homePhone, the entry itself can write them, other company name entries can search by them, anybody else has no access. The homePhone attribute is writable by the entry, searchable by other company name entries, readable by clients connecting from somewhere in the antbear.com domain, and comparable by everybody else.

Sometimes it is useful to permit a particular DN to add or remove itself from an attribute. For example, if you would like to create a group and allow people to add and remove only their own DN from the member attribute, you could accomplish it with an access directive like this:

   access to attr=member,entry
       by dnattr=member                  selfwrite

The dnattr who selector says that the access applies to entries listed in the member attribute. The selfwrite access selector says that such members can only add or delete their own DN from the attribute, not other values. The addition of the entry attribute is required because access to the entry is required to access any of the entry's attributes.

Note that the attr=member construct in the what clause is a shorthand for the clause following:

   dn= attr=member

That is, it matches the member attribute in all entries.