The Directory ACLs provided by OpenLDAP are simple in their syntax, yet very flexible and powerful in their implementation. The basic idea is to define Who has Access to What? The most frequent forms of “Who” include:
Matches any connected user, including anonymous connection
The DN of the currently connected user, assuming he has been successfully authenticated by a previous bind request
Nonauthenticated user connections
Authenticated user connections
Matches a DN or an SASL identity
Remember that the login name used to specify a user for
authentication takes the form of a DN (e.g.,
carter,ou=people,dc=plainjoe,dc=org“) or an SASL identify
self value is used as a shortcut for the DN of the
authenticated user of the current session. The examples later in this
section will help clarify this concept.
The notion of an access level is a new concept. Table 3-7 summarizes the various access privileges.
Higher levels possess all of the capabilities of the lower levels.
compare access implies
auth access, and
Access to update attribute values (e.g., Change this
Access to read search results (e.g., Show me all the entries with a