diff options
Diffstat (limited to 'tests/data/slapd-acl.conf')
-rw-r--r-- | tests/data/slapd-acl.conf | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/tests/data/slapd-acl.conf b/tests/data/slapd-acl.conf new file mode 100644 index 0000000..7afdc03 --- /dev/null +++ b/tests/data/slapd-acl.conf @@ -0,0 +1,144 @@ +# provider slapd config -- for testing +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2022 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +include @SCHEMADIR@/core.schema +include @SCHEMADIR@/cosine.schema +include @SCHEMADIR@/inetorgperson.schema +include @SCHEMADIR@/openldap.schema +include @SCHEMADIR@/nis.schema +pidfile @TESTDIR@/slapd.1.pid +argsfile @TESTDIR@/slapd.1.args + +# global ACLs +# +# normal installations should protect root dse, cn=monitor, cn=subschema +# + +access to dn.exact="" attrs=objectClass + by users read +access to * + by * read + +#mod#modulepath ../servers/slapd/back-@BACKEND@/ +#mod#moduleload back_@BACKEND@.la + +####################################################################### +# database definitions +####################################################################### + +database @BACKEND@ + +suffix "dc=example,dc=com" +rootdn "cn=Manager,dc=example,dc=com" +rootpw secret +#~null~#directory @TESTDIR@/db.1.a +#indexdb#index objectClass eq +#indexdb#index cn,sn,uid pres,eq,sub +#ndb#dbname db_1 +#ndb#include @DATADIR@/ndb.conf +add_content_acl on +#access to attrs=objectclass dn.subtree="dc=example,dc=com" +access to attrs=objectclass + by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add + by * =rsc stop + +#access to filter="(objectclass=person)" attrs=userpassword dn.subtree="dc=example,dc=com" +access to filter="(objectclass=person)" attrs=userpassword + by anonymous auth + by self =wx + +access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" + attrs=cn val="Mark A Elliot" + by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read + by * break + +access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" + attrs=cn val="Mark Elliot" + by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read + by * break + +access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" + attrs=cn + by * search + +access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com" + attrs=cn val.regex="^John D.+" + by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read + by * break + +access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com" + attrs=cn val.regex="^Jonath.+" + by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read + by * break + +access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com" + attrs=cn + by * search + +access to dn.onelevel="ou=Information Technology Division,ou=People,dc=example,dc=com" + filter="(cn=*Jensen)" + attrs=cn val.regex=".*Jensen$" + by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read + by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read + by * break + +access to dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" + attrs=cn + by * search + +access to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com" + by dn.regex=".+,dc=example,dc=com" +c continue + by dn.subtree="dc=example,dc=com" +rs continue + by dn.children="dc=example,dc=com" +d continue + by * stop + +#access to attrs=member,uniquemember dn.subtree="dc=example,dc=com" +access to attrs=member,uniquemember + by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" selfwrite + by dnattr=member selfwrite + by dnattr=uniquemember selfwrite + by * read + +#access to attrs=member,uniquemember filter="(mail=*com)" dn.subtree="dc=example,dc=com" +access to attrs=member,uniquemember filter="(mail=*com)" + by * read + +#access to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" dn.subtree="dc=example,dc=com" +access to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" + by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" =sc continue + by dn.regex="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com$" +rw stop + by * break + +access to dn.children="ou=Information Technology Division,ou=People,dc=example,dc=com" + by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write + by * read + +access to dn.exact="cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com" + by set="[cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com]/member* & user" write + by * read + +#access to filter="(name=X*Y*Z)" dn.subtree="dc=example,dc=com" +access to filter="(name=X*Y*Z)" + by * continue + +access to dn.subtree="ou=Add & Delete,dc=example,dc=com" + by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add + by dn.exact="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" delete + by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" write + by * read + +# fall into global ACLs + +database monitor |