Access control instructions (ACIs) are represented as strings that are applied to one or
more entries within the Directory Information Tree (DIT). Typically, an ACI is placed on a
subtree, such as dc=example,dc=com
, and applies to that base entry and all
entries below it in the tree. The Directory Proxy Server iterates through the DIT to
compile the access control rules into an internally-used list of denied and allowed targets
and their permissable operations. When a client application, such as
ldapsearch, enters a request, the Directory Proxy Server checks
that the user who binds with the server has the necessary access rights to the requested
search targets. ACIs are cumulatively applied, so that a user who may have an ACI at an
entry, may also have other access rights available if ACIs are defined higher in the DIT and
are applicable to the user. In most environments, ACIs are defined at the root of a main
branch or a subtree, and not on individual entries unless absolutely required.
An access control rule has a basic syntax as follows:
aci : (targets) (version 3.0; acl "name";
permissions
bind rules
;)
Access Control Component | Description |
---|---|
targets | Specifies the set of entries and/or attributes to which an access control rule applies. Syntax: (target keyword = || != expression) |
name | Specifies the name of the ACI. |
permissions | Specifies the type of operations to which an access control rule might apply. Syntax: allow||deny (permission) |
bind rules | Specifies the criteria that indicate whether an access control rule should apply to a given requestor. Syntax: bind rule keyword = ||!= expression;. The bind rule syntax requires that it be terminated with a ";". |