From c000cad09d0b54c455c99271bfb996c2dfe13073 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 03:23:53 +0200 Subject: Adding upstream version 2.4.47+dfsg. Signed-off-by: Daniel Baumann --- doc/man/man5/slapd.access.5 | 1183 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1183 insertions(+) create mode 100644 doc/man/man5/slapd.access.5 (limited to 'doc/man/man5/slapd.access.5') diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5 new file mode 100644 index 0000000..f183daf --- /dev/null +++ b/doc/man/man5/slapd.access.5 @@ -0,0 +1,1183 @@ +.TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2018 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapd.access \- access configuration for slapd, the stand-alone LDAP daemon +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +The +.BR slapd.conf (5) +file contains configuration information for the +.BR slapd (8) +daemon. This configuration file is also used by the SLAPD tools +.BR slapacl (8), +.BR slapadd (8), +.BR slapauth (8), +.BR slapcat (8), +.BR slapdn (8), +.BR slapindex (8), +and +.BR slaptest (8). +.LP +The +.B slapd.conf +file consists of a series of global configuration options that apply to +.B slapd +as a whole (including all backends), followed by zero or more database +backend definitions that contain information specific to a backend +instance. +.LP +The general format of +.B slapd.conf +is as follows: +.LP +.nf + # comment - these options apply to every database + + # first database definition & configuration options + database + + # subsequent database definitions & configuration options + ... +.fi +.LP +Both the global configuration and each backend-specific section can +contain access information. Backend-specific access control +directives are used for those entries that belong to the backend, +according to their naming context. In case no access control +directives are defined for a backend or those which are defined are +not applicable, the directives from the global configuration section +are then used. +.LP +If no access controls are present, the default policy +allows anyone and everyone to read anything but restricts +updates to rootdn. (e.g., "access to * by * read"). +.LP +When dealing with an access list, because the global access list is +effectively appended to each per-database list, if the resulting +list is non-empty then the access list will end with an implicit +.B access to * by * none +directive. If there are no access directives applicable to a backend, +then a default read is used. +.LP +.B Be warned: the rootdn can always read and write EVERYTHING! +.LP +For entries not held in any backend (such as a root DSE), the +global directives are used. +.LP +Arguments that should be replaced by actual text are shown in +brackets <>. +.SH THE ACCESS DIRECTIVE +The structure of the access control directives is +.TP +.B access to "[ by [ ] [ ] ]+" +Grant access (specified by +.BR ) +to a set of entries and/or attributes (specified by +.BR ) +by one or more requestors (specified by +.BR ). + +.LP +Lists of access directives are evaluated in the order they appear +in \fIslapd.conf\fP. +When a +.B +clause matches the datum whose access is being evaluated, its +.B +clause list is checked. +When a +.B +clause matches the accessor's properties, its +.B +and +.B +clauses are evaluated. +Access control checking stops at the first match of the +.B +and +.B +clause, unless otherwise dictated by the +.B +clause. +Each +.B +clause list is implicitly terminated by a +.LP +.nf + by * none stop +.fi +.LP +clause that results in stopping the access control with no access +privileges granted. +Each +.B +clause list is implicitly terminated by a +.LP +.nf + access to * + by * none +.fi +.LP +clause that results in granting no access privileges to an otherwise +unspecified datum. +.SH THE FIELD +The field +.BR +specifies the entity the access control directive applies to. +It can have the forms +.LP +.nf + dn[.]= + filter= + attrs=[ val[/matchingRule][.]=] +.fi +.LP +with +.LP +.nf + ={{exact|base(object)}|regex + |one(level)|sub(tree)|children} + ={|[{!|@}]}[,] + ={{exact|base(object)}|regex + |one(level)|sub(tree)|children} +.fi +.LP +The statement +.B dn= +selects the entries based on their naming context. +The +.B +is a string representation of the entry's DN. +The wildcard +.B * +stands for all the entries, and it is implied if no +.B dn +form is given. +.LP +The +.B +is optional; however, it is recommended to specify it to avoid ambiguities. +.B Base +(synonym of +.BR baseObject ), +the default, +or +.B exact +(an alias of +.BR base ) +indicates the entry whose DN is equal to the +.BR ; +.B one +(synonym of +.BR onelevel ) +indicates all the entries immediately below the +.BR , +.B sub +(synonym of +.BR subtree ) +indicates all entries in the subtree at the +.BR , +.B children +indicates all the entries below (subordinate to) the +.BR . +.LP +If the +.B +qualifier is +.BR regex , +then +.B +is a POSIX (''extended'') regular expression pattern, +as detailed in +.BR regex (7) +and/or +.BR re_format (7), +matching a normalized string representation of the entry's DN. +The regex form of the pattern does not (yet) support UTF-8. +.LP +The statement +.B filter= +selects the entries based on a valid LDAP filter as described in RFC 4515. +A filter of +.B (objectClass=*) +is implied if no +.B filter +form is given. +.LP +The statement +.B attrs= +selects the attributes the access control rule applies to. +It is a comma-separated list of attribute types, plus the special names +.BR entry , +indicating access to the entry itself, and +.BR children , +indicating access to the entry's children. ObjectClass names may also +be specified in this list, which will affect all the attributes that +are required and/or allowed by that objectClass. +Actually, names in +.B +that are prefixed by +.B @ +are directly treated as objectClass names. A name prefixed by +.B ! +is also treated as an objectClass, but in this case the access rule +affects the attributes that are not required nor allowed +by that objectClass. +If no +.B attrs +form is given, +.B attrs=@extensibleObject +is implied, i.e. all attributes are addressed. +.LP +Using the form +.B attrs= val[/matchingRule][.]= +specifies access to a particular value of a single attribute. +In this case, only a single attribute type may be given. The +.B +.B exact +(the default) uses the attribute's equality matching rule to compare the +value, unless a different (and compatible) matching rule is specified. If the +.B +is +.BR regex , +the provided value is used as a POSIX (''extended'') regular +expression pattern. If the attribute has DN syntax, the +.B +can be any of +.BR base , +.BR onelevel , +.B subtree +or +.BR children , +resulting in base, onelevel, subtree or children match, respectively. +.LP +The dn, filter, and attrs statements are additive; they can be used in sequence +to select entities the access rule applies to based on naming context, +value and attribute type simultaneously. +Submatches resulting from +.B regex +matching can be dereferenced in the +.B +field using the syntax +.IR ${v} , +where +.I +is the submatch number. +The default syntax, +.IR $ , +is actually an alias for +.IR ${d} , +that corresponds to dereferencing submatches from the +.B dnpattern +portion of the +.B +field. +.SH THE FIELD +The field +.B +indicates whom the access rules apply to. +Multiple +.B +statements can appear in an access control statement, indicating the +different access privileges to the same resource that apply to different +accessee. +It can have the forms +.LP +.nf + * + anonymous + users + self[.] + + dn[.[,]]= + dnattr= + + realanonymous + realusers + realself[.] + + realdn[.[,]]= + realdnattr= + + group[/[/]] + [.]= + peername[.]= + sockname[.