Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   slapd.access    ( 5 )

конфигурация доступа для slapd, автономного демона LDAP (access configuration for slapd, the stand-alone LDAP daemon)

THE <ACCESS> FIELD

The optional field <access> ::= [[real]self]{<level>|<priv>}
       determines the access level or the specific access privileges the
       who field will have.  Its component are defined as


            <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
            <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+


       The modifier self allows special operations like having a certain
       access level or privilege only in case the operation involves the
       name of the user that's requesting the access.  It implies the
       user that requests access is authorized.  The modifier realself
       refers to the authenticated DN as opposed to the authorized DN of
       the self modifier.  An example is the selfwrite access to the
       member attribute of a group, which allows one to add/delete its
       own DN from the member list of a group, while being not allowed
       to affect other members.


       The level access model relies on an incremental interpretation of
       the access privileges.  The possible levels are none, disclose,
       auth, compare, search, read, write, and manage.  Each access
       level implies all the preceding ones, thus manage grants all
       access including administrative access. This access allows some
       modifications which would otherwise be prohibited by the LDAP
       data model or the directory schema, e.g. changing the structural
       objectclass of an entry, or modifying an operational attribute
       that is defined as not user modifiable.  The write access is
       actually the combination of add and delete, which respectively
       restrict the write privilege to add or delete the specified
       <what>.


       The none access level disallows all access including disclosure
       on error.


       The disclose access level allows disclosure of information on
       error.


       The auth access level means that one is allowed access to an
       attribute to perform authentication/authorization operations
       (e.g.  bind) with no other access.  This is useful to grant
       unauthenticated clients the least possible access level to
       critical resources, like passwords.


       The priv access model relies on the explicit setting of access
       privileges for each clause.  The = sign resets previously defined
       accesses; as a consequence, the final access privileges will be
       only those defined by the clause.  The + and - signs add/remove
       access privileges to the existing ones.  The privileges are m for
       manage, w for write, a for add, z for delete, r for read, s for
       search, c for compare, x for authentication, and d for disclose.
       More than one of the above privileges can be added in one
       statement.  0 indicates no privileges and is used only by itself
       (e.g., +0).  Note that +az is equivalent to +w.


       If no access is given, it defaults to +0.