---

   slapd.access    ( 5 )

---

OPERATION REQUIREMENTS

Operations require different privileges on different portions of entries. The following summary applies to primary MDB database backend. Requirements for other backends may (and often do) differ.

The add operation requires add (=a) privileges on the pseudo- attribute entry of the entry being added, and add (=a) privileges on the pseudo-attribute children of the entry's parent. When adding the suffix entry of a database, add access to children of the empty DN ("") is required. Also if Add content ACL checking has been configured on the database (see the slapd.conf(5) or slapd-config(5) manual page), add (=a) will be required on all of the attributes being added.

The bind operation, when credentials are stored in the directory, requires auth (=x) privileges on the attribute the credentials are stored in (usually userPassword).

The compare operation requires compare (=c) privileges on the attribute that is being compared.

The delete operation requires delete (=z) privileges on the pseudo-attribute entry of the entry being deleted, and delete (=d) privileges on the children pseudo-attribute of the entry's parent.

The modify operation requires write (=w) privileges on the attributes being modified. In detail, add (=a) is required to add new values, delete (=z) is required to delete existing values, and both delete and add (=az), or write (=w), are required to replace existing values.

The modrdn operation requires write (=w) privileges on the pseudo-attribute entry of the entry whose relative DN is being modified, delete (=z) privileges on the pseudo-attribute children of the old entry's parents, add (=a) privileges on the pseudo- attribute children of the new entry's parents, and add (=a) privileges on the attributes that are present in the new relative DN. Delete (=z) privileges are also required on the attributes that are present in the old relative DN if deleteoldrdn is set to 1.

The search operation, requires search (=s) privileges on the entry pseudo-attribute of the searchBase (NOTE: this was introduced with OpenLDAP 2.4). Then, for each entry, it requires search (=s) privileges on the attributes that are defined in the filter. The resulting entries are finally tested for read (=r) privileges on the pseudo-attribute entry (for read access to the entry itself) and for read (=r) access on each value of each attribute that is requested. Also, for each referral object used in generating continuation references, the operation requires read (=r) access on the pseudo-attribute entry (for read access to the referral object itself), as well as read (=r) access to the attribute holding the referral information (generally the ref attribute).

Some internal operations and some controls require specific access privileges.

The SASL authzID mapping and the LDAP proxyAuthz control require auth (=x) privileges on all the attributes that are present in the search filter of the URI regexp maps (the right-hand side of the authz-regexp directives). Auth (=x) privileges are also required on the authzTo attribute of the authorizing identity and/or on the authzFrom attribute of the authorized identity. In both cases, it is the authorizing identity that requires the privileges (i.e. the identity that has authenticated and is now trying to do some operation using another entity's permissions).

In general, when an internal lookup is performed for authentication or authorization purposes, search-specific privileges (see the access requirements for the search operation illustrated above) are relaxed to auth.

Access control to search entries is checked by the frontend, so it is fully honored by all backends; for all other operations and for the discovery phase of the search operation, full ACL semantics is only supported by the primary backends, i.e. slapd-mdb(5).

Some other backend, like slapd-sql(5), may fully support them; others may only support a portion of the described semantics, or even differ in some aspects. The relevant details are described in the backend-specific man pages.