Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 483 — #509
i
i
i
i
i
i
i
i
21
Linux in the Network
Example 21.20: slapd.conf: Access Control
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# access to dn="" by * read
access to * by self write
by users read
by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!
Example 21.20 is the excerpt from slapd.conf that regulates the access
permissions for the LDAP directory on the server. The settings made here
in the global section of slapd.conf are valid as long as no custom access
rules are declared in the database-specific section. These would overwrite
the global declarations. As presented here, all users have read access to the
directory, but only the administrator (rootdn) can write to this directory.
Access control regulation in LDAP is a highly complex process. The follow-
ing tips can help:
Every access rule has the following structure:
access to <what> by <who> <access>
hwhati is a placeholder for the object or attribute to which access is
granted. Individual directory branches can be protected explicitly
with separate rules. It is also possible to process regions of the direc-
tory tree with one rule by using regular expressions. slapd evaluates
all rules in the order in which they are listed in the configuration file.
More general rules should be listed after more specific ones — the
first rule slapd regards as valid is evaluated and all following entries
are ignored.
hwhoi determines who should be granted access to the areas deter-
mined with hwhati. Regular expressions may be used. slapd again
aborts the evaluation of who after the first match, so more specific
rules should be listed before the more general ones. The entries
shown in Table 21.10 on the following page are possible.
483SUSE LINUX Enterprise Server