OpenLDAP Access Control

Access to SLAPD entries and properties is controlled by the Access profile directive. The common format for access rights lines is as follows:

<access directive>:: = Access to <what>
[By <who> <access> <control>]+
<what>:: * |
[dn[.<basic-style>]=<regex> | Dn.<scope-style>=<dn>]
[Filter=<ldapfilter>] [Attrs=<attrlist>]
<basic-style>:: = Regex | Exact
<scope-style>:: = Base | One | Subtree | Children
<attrlist>:: = <attr> [Val[.<basic-style>]=<regex>] | <attr> <attrlist>
<attr>:: = <attrhttp://www.aliyun.com/zixun/aggregation/11696.html ">name> | Entry | Children
<who>:: * | [Anonymous | users | self
| dn[.<basic-style>]=<regex> | Dn.<scope-style>=<dn>]
[Dnattr=<attrname>]
[Group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
[Peername[.<basic-style>]=<regex>]
[Sockname[.<basic-style>]=<regex>]
[Domain[.<basic-style>]=<regex>]
[Sockurl[.<basic-style>]=<regex>]
[Set=<setspec>]
[Aci=<attrname>]
<access>:: = [Self]{<level>|<priv>}
<level>:: = none | Auth | Compare | Search | Read | Write
<priv>:: = {=|+|-}{w|r|s|c|x|0}+
<control>: = [Stop | re-enters | break]

<what> Select the entries and attributes to which access rights apply. The <who> section indicates which entity is given access Rights,<access> section explains what access is given. Multiple <who> <access> <control> triples can be specified to allow multiple entities to be given different access rights to the same set of entry attributes. All access control options are not listed here, please refer to the slapd.access (5) man page for more details.