Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   slapd.access    ( 5 )

конфигурация доступа для slapd, автономного демона LDAP (access configuration for slapd, the stand-alone LDAP daemon)

THE <ACCESS> FIELD

The optional field <access> ::= [[real]self]{<level>|<priv>} determines the access level or the specific access privileges the who field will have. Its component are defined as

<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+

The modifier self allows special operations like having a certain access level or privilege only in case the operation involves the name of the user that's requesting the access. It implies the user that requests access is authorized. The modifier realself refers to the authenticated DN as opposed to the authorized DN of the self modifier. An example is the selfwrite access to the member attribute of a group, which allows one to add/delete its own DN from the member list of a group, while being not allowed to affect other members.

The level access model relies on an incremental interpretation of the access privileges. The possible levels are none, disclose, auth, compare, search, read, write, and manage. Each access level implies all the preceding ones, thus manage grants all access including administrative access. This access allows some modifications which would otherwise be prohibited by the LDAP data model or the directory schema, e.g. changing the structural objectclass of an entry, or modifying an operational attribute that is defined as not user modifiable. The write access is actually the combination of add and delete, which respectively restrict the write privilege to add or delete the specified <what>.

The none access level disallows all access including disclosure on error.

The disclose access level allows disclosure of information on error.

The auth access level means that one is allowed access to an attribute to perform authentication/authorization operations (e.g. bind) with no other access. This is useful to grant unauthenticated clients the least possible access level to critical resources, like passwords.

The priv access model relies on the explicit setting of access privileges for each clause. The = sign resets previously defined accesses; as a consequence, the final access privileges will be only those defined by the clause. The + and - signs add/remove access privileges to the existing ones. The privileges are m for manage, w for write, a for add, z for delete, r for read, s for search, c for compare, x for authentication, and d for disclose. More than one of the above privileges can be added in one statement. 0 indicates no privileges and is used only by itself (e.g., +0). Note that +az is equivalent to +w.

If no access is given, it defaults to +0.