(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Access Control : (Category) More information about Access Control : (Answer) Static configuration: general format
So we are going to concentrate on the static method here. The access control definition consists in a series of clauses that are studied in turn in the order that they appear in the definition files. Access clauses appearing before the database definitions are the Global Access List and apply to all databases but only after considering access clauses particular to those databases. Well, that's the theory. In practice, notice that what is described here is what the ldbm backend does and other backends will not do most of these checks. The syntax of each access clause is as follows:
<access clause> ::= access to <what> [ by <who> <access> <control> ]+

Well, that was easy: we specify an access target, and then a list of triplets composed of a subject specification, an access rights specification to assign in case the subject matches and a control that specifies what to do after a match. For the time being consider that the control is stop that is the default (and the only possibility in older OpenLDAP versions) and means that all access control processing stops here: no further subjects will be considered in this clause and no other clauses will be considered. In other words, by default, all access control to some item is specified in just one access clause: access rights you forgot to set here cannot be set later, even if a later access clause would seem to include this one. So in most cases you will work from the most specific to the most general. We will see later that this is not the only possibility, but is the most common and most examples are written this way.
jsanchez@openldap.org

[Append to This Answer]
Previous: (Answer) Two access control configuration methods
Next: (Answer) Specifying the target
This document is: http://www.openldap.org/faq/index.cgi?file=449
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org