Access Control Lists (ACLs)
The Directory ACLs provided by OpenLDAP are simple in their syntax, yet very flexible and powerful in their implementation. The basic idea is to define Who has Access to What? The most frequent forms of “Who” include:
-
* Matches any connected user, including anonymous connection
-
self The DN of the currently connected user, assuming he has been successfully authenticated by a previous bind request
-
anonymous Nonauthenticated user connections
-
users Authenticated user connections
- Regular expression
Matches a DN or an SASL identity
Remember that the login name used to specify a user for
authentication takes the form of a DN (e.g., dn="cn=gerald
carter,ou=people,dc=plainjoe,dc=org“) or an SASL identify
(e.g., dn="uid=jerry,cn=gssapi,cn=auth“). The
self value is used as a shortcut for the DN of the
authenticated user of the current session. The examples later in this
section will help clarify this concept.
The notion of an access level is a new concept. Table 3-7 summarizes the various access privileges.
Higher levels possess all of the capabilities of the lower levels.
For example, compare access implies
auth access, and write access
implies read, search,
compare, and auth.
|
Access level |
Permission granted |
|
|
Access to update attribute values (e.g., Change this
|
|
|
Access to read search results (e.g., Show me all the entries with a
|
Get LDAP System Administration now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
