.TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION" .\" Copyright 1998-2021 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME slapd.access \- access configuration for slapd, the stand-alone LDAP daemon .SH SYNOPSIS ETCDIR/slapd.conf .SH DESCRIPTION The .BR slapd.conf (5) file contains configuration information for the .BR slapd (8) daemon. This configuration file is also used by the SLAPD tools .BR slapacl (8), .BR slapadd (8), .BR slapauth (8), .BR slapcat (8), .BR slapdn (8), .BR slapindex (8), .BR slapmodify (8), and .BR slaptest (8). .LP The .B slapd.conf file consists of a series of global configuration options that apply to .B slapd as a whole (including all backends), followed by zero or more database backend definitions that contain information specific to a backend instance. .LP The general format of .B slapd.conf is as follows: .LP .nf # comment - these options apply to every database # first database definition & configuration options database # subsequent database definitions & configuration options ... .fi .LP Both the global configuration and each backend-specific section can contain access information. Backend-specific access control directives are used for those entries that belong to the backend, according to their naming context. In case no access control directives are defined for a backend or those which are defined are not applicable, the directives from the global configuration section are then used. .LP If no access controls are present, the default policy allows anyone and everyone to read anything but restricts updates to rootdn. (e.g., "access to * by * read"). .LP When dealing with an access list, because the global access list is effectively appended to each per-database list, if the resulting list is non-empty then the access list will end with an implicit .B access to * by * none directive. If there are no access directives applicable to a backend, then a default read is used. .LP .B Be warned: the rootdn can always read and write EVERYTHING! .LP For entries not held in any backend (such as a root DSE), the global directives are used. .LP Arguments that should be replaced by actual text are shown in brackets <>. .SH THE ACCESS DIRECTIVE The structure of the access control directives is .TP .B access to "[ by [ ] [ ] ]+" Grant access (specified by .BR ) to a set of entries and/or attributes (specified by .BR ) by one or more requestors (specified by .BR ). .LP Lists of access directives are evaluated in the order they appear in \fIslapd.conf\fP. When a .B clause matches the datum whose access is being evaluated, its .B clause list is checked. When a .B clause matches the accessor's properties, its .B and .B clauses are evaluated. .LP Access control checking stops at the first match of the .B and .B clause, unless otherwise dictated by the .B clause. Each .B clause list is implicitly terminated by a .LP .nf by * none stop .fi .LP .B clause. This implicit .B stops access directive evaluation with no more access privileges granted to anyone else. To stop access directive evaluation only when both .B and .B match, add an explicit .LP .nf by * break .fi .LP to the end of the .B clause list. .LP Each .B clause list is implicitly terminated by a .LP .nf access to * by * none .fi .LP clause that results in granting no access privileges to an otherwise unspecified datum. .SH THE FIELD The field .BR specifies the entity the access control directive applies to. It can have the forms .LP .nf dn[.]= filter= attrs=[ val[/matchingRule][.]=] .fi .LP with .LP .nf ={{exact|base(object)}|regex |one(level)|sub(tree)|children} ={|[{!|@}]}[,] ={{exact|base(object)}|regex |one(level)|sub(tree)|children} .fi .LP The statement .B dn= selects the entries based on their naming context. The .B is a string representation of the entry's DN. The wildcard .B * stands for all the entries, and it is implied if no .B dn form is given. .LP The .B is optional; however, it is recommended to specify it to avoid ambiguities. .B Base (synonym of .BR baseObject ), the default, or .B exact (an alias of .BR base ) indicates the entry whose DN is equal to the .BR ; .B one (synonym of .BR onelevel ) indicates all the entries immediately below the .BR , .B sub (synonym of .BR subtree ) indicates all entries in the subtree at the .BR , .B children indicates all the entries below (subordinate to) the .BR . .LP If the .B qualifier is .BR regex , then .B is a POSIX (''extended'') regular expression pattern, as detailed in .BR regex (7) and/or .BR re_format (7), matching a normalized string representation of the entry's DN. The regex form of the pattern does not (yet) support UTF-8. .LP The statement .B filter= selects the entries based on a valid LDAP filter as described in RFC 4515. A filter of .B (objectClass=*) is implied if no .B filter form is given. .LP The statement .B attrs= selects the attributes the access control rule applies to. It is a comma-separated list of attribute types, plus the special names .BR entry , indicating access to the entry itself, and .BR children , indicating access to the entry's children. ObjectClass names may also be specified in this list, which will affect all the attributes that are required and/or allowed by that objectClass. Actually, names in .B that are prefixed by .B @ are directly treated as objectClass names. A name prefixed by .B ! is also treated as an objectClass, but in this case the access rule affects the attributes that are not required nor allowed by that objectClass. If no .B attrs form is given, .B attrs=@extensibleObject is implied, i.e. all attributes are addressed. .LP Using the form .B attrs= val[/matchingRule][.]= specifies access to a particular value of a single attribute. In this case, only a single attribute type may be given. The .B .B exact (the default) uses the attribute's equality matching rule to compare the value, unless a different (and compatible) matching rule is specified. If the .B is .BR regex , the provided value is used as a POSIX (''extended'') regular expression pattern. If the attribute has DN syntax, the .B can be any of .BR base , .BR onelevel , .B subtree or .BR children , resulting in base, onelevel, subtree or children match, respectively. .LP The dn, filter, and attrs statements are additive; they can be used in sequence to select entities the access rule applies to based on naming context, value and attribute type simultaneously. Submatches resulting from .B regex matching can be dereferenced in the .B field using the syntax .IR ${v} , where .I is the submatch number. The default syntax, .IR $ , is actually an alias for .IR ${d} , that corresponds to dereferencing submatches from the .B dnpattern portion of the .B field. .SH THE FIELD The field .B indicates whom the access rules apply to. Multiple .B statements can appear in an access control statement, indicating the different access privileges to the same resource that apply to different accessee. It can have the forms .LP .nf * anonymous users self[.] dn[.[,]]= dnattr= realanonymous realusers realself[.] realdn[.[,]]= realdnattr= group[/[/]] [.]= peername[.]= sockname[.