Examples of common access control rules
This section demonstrates access controls that are commonly used in your environment.
To modify access control definitions in the server, a user must have the modify-acl
privilege.
Administrator access
The following access control instructions (ACIs) grant members of the cn=admins,ou=groups,dc=example,dc=com
group the following permissions:
-
Add, modify, and delete entries
-
Reset passwords
-
Read operational attributes, such as
isMemberOf
and password policy state
aci: (targetattr="+")(version 3.0; acl "Administrators can read, search or compare operational attributes"; allow (read,search,compare) groupdn="ldap:///cn=admins,ou=groups,dc=example,dc=com";) aci: (targetattr="*")(version 3.0; acl "Administrators can add, modify and delete entries"; allow (all) groupdn="ldap:///cn=admins,ou=groups,dc=example,dc=com";)
Anonymous and authenticated access
The following ACIs allow anonymous read, search, and compare on select attributes of inetOrgPerson
entries while authenticated users can access several more. An authenticated user inherits the privileges of the anonymous ACI and can also change userPassword
.
aci: (targetattr="objectclass || uid || cn || mail || sn || givenName")(targetfilter="(objectClass=inetorgperson)") (version 3.0; acl "Anyone can access names and email addresses of entries representing people"; allow (read,search,compare) userdn="ldap:///anyone";) aci: (targetattr="departmentNumber || manager || isMemberOf")(targetfilter="(objectClass=inetorgperson)") (version 3.0; acl "Authenticated users can access these fields for entries representing people"; allow (read,search,compare) userdn="ldap:///all";) aci: (targetattr="userPassword")(version 3.0; acl "Authenticated users can change password"; allow (write) userdn="ldap:///all";)
To prevent anonymous access to the directory server, set the global configuration property reject-unauthenticated-requests
to true
.
Delegated access to a manager
The following ACI allows an employee’s manager to edit the value of the employee’s telephoneNumber
attribute. This ACI uses the userattr
keyword with a bind type of USERDN
, which indicates that the target entry’s manager attribute must have a value equal to the distinguished name (DN) of the authenticated user.
aci: (targetattr="telephoneNumber") (version 3.0; acl "A manager can update telephone numbers of her direct reports"; allow (read,search,compare,write) userattr="manager#USERDN";)
Proxy authorization
The following ACI allows the application cn=OnBehalf,ou=applications,dc=example,dc=com
to use the proxied authorization V2 control to request that operations be performed using an alternate authorization identity.
aci: (version 3.0;acl "Application OnBehalf can proxy as another entry"; allow (proxy) userdn="ldap:///cn=OnBehalf,ou=applications,dc=example,dc=com";)
The application user must have the |