конфигурация доступа для slapd, автономного демона LDAP (access configuration for slapd, the stand-alone LDAP daemon)
THE <WHAT> FIELD
The field <what> specifies the entity the access control
directive applies to. It can have the forms
dn[.<dnstyle>]=<dnpattern>
filter=<ldapfilter>
attrs=<attrlist>[ val[/matchingRule][.<attrstyle>]=<attrval>]
with
<dnstyle>={{exact|base(object)}|regex
|one(level)|sub(tree)|children}
<attrlist>={<attr>|[{!|@}]<objectClass>}[,<attrlist>]
<attrstyle>={{exact|base(object)}|regex
|one(level)|sub(tree)|children}
The statement dn=<dnpattern> selects the entries based on their
naming context. The <dnpattern> is a string representation of
the entry's DN. The wildcard * stands for all the entries, and
it is implied if no dn form is given.
The <dnstyle> is optional; however, it is recommended to specify
it to avoid ambiguities. Base (synonym of baseObject), the
default, or exact (an alias of base) indicates the entry whose DN
is equal to the <dnpattern>; one (synonym of onelevel) indicates
all the entries immediately below the <dnpattern>, sub (synonym
of subtree) indicates all entries in the subtree at the
<dnpattern>, children indicates all the entries below
(subordinate to) the <dnpattern>.
If the <dnstyle> qualifier is regex, then <dnpattern> is a POSIX
(''extended'') regular expression pattern, as detailed in
regex(7) and/or re_format(7), matching a normalized string
representation of the entry's DN. The regex form of the pattern
does not (yet) support UTF-8.
The statement filter=<ldapfilter> selects the entries based on a
valid LDAP filter as described in RFC 4515. A filter of
(objectClass=*) is implied if no filter form is given.
The statement attrs=<attrlist> selects the attributes the access
control rule applies to. It is a comma-separated list of
attribute types, plus the special names entry, indicating access
to the entry itself, and children, indicating access to the
entry's children. ObjectClass names may also be specified in this
list, which will affect all the attributes that are required
and/or allowed by that objectClass. Actually, names in
<attrlist> that are prefixed by @ are directly treated as
objectClass names. A name prefixed by ! is also treated as an
objectClass, but in this case the access rule affects the
attributes that are not required nor allowed by that objectClass.
If no attrs form is given, attrs=@extensibleObject is implied,
i.e. all attributes are addressed.
Using the form attrs=<attr>
val[/matchingRule][.<attrstyle>]=<attrval> specifies access to a
particular value of a single attribute. In this case, only a
single attribute type may be given. The <attrstyle> exact (the
default) uses the attribute's equality matching rule to compare
the value, unless a different (and compatible) matching rule is
specified. If the <attrstyle> is regex, the provided value is
used as a POSIX (''extended'') regular expression pattern. If
the attribute has DN syntax, the <attrstyle> can be any of base,
onelevel, subtree or children, resulting in base, onelevel,
subtree or children match, respectively.
The dn, filter, and attrs statements are additive; they can be
used in sequence to select entities the access rule applies to
based on naming context, value and attribute type simultaneously.
Submatches resulting from regex matching can be dereferenced in
the <who> field using the syntax ${v<n>}, where <n> is the
submatch number. The default syntax, $<n>, is actually an alias
for ${d<n>}, that corresponds to dereferencing submatches from
the dnpattern portion of the <what> field.
