1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
# provider slapd config -- for testing
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2022 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
include @SCHEMADIR@/core.schema
include @SCHEMADIR@/cosine.schema
include @SCHEMADIR@/inetorgperson.schema
include @SCHEMADIR@/openldap.schema
include @SCHEMADIR@/nis.schema
pidfile @TESTDIR@/slapd.1.pid
argsfile @TESTDIR@/slapd.1.args
# global ACLs
#
# normal installations should protect root dse, cn=monitor, cn=subschema
#
access to dn.exact="" attrs=objectClass
by users read
access to *
by * read
#mod#modulepath ../servers/slapd/back-@BACKEND@/
#mod#moduleload back_@BACKEND@.la
#######################################################################
# database definitions
#######################################################################
database @BACKEND@
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
#~null~#directory @TESTDIR@/db.1.a
#indexdb#index objectClass eq
#indexdb#index cn,sn,uid pres,eq,sub
#ndb#dbname db_1
#ndb#include @DATADIR@/ndb.conf
add_content_acl on
#access to attrs=objectclass dn.subtree="dc=example,dc=com"
access to attrs=objectclass
by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
by * =rsc stop
#access to filter="(objectclass=person)" attrs=userpassword dn.subtree="dc=example,dc=com"
access to filter="(objectclass=person)" attrs=userpassword
by anonymous auth
by self =wx
access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
attrs=cn val="Mark A Elliot"
by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
by * break
access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
attrs=cn val="Mark Elliot"
by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
by * break
access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
attrs=cn
by * search
access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
attrs=cn val.regex="^John D.+"
by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
by * break
access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
attrs=cn val.regex="^Jonath.+"
by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
by * break
access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
attrs=cn
by * search
access to dn.onelevel="ou=Information Technology Division,ou=People,dc=example,dc=com"
filter="(cn=*Jensen)"
attrs=cn val.regex=".*Jensen$"
by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
by * break
access to dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
attrs=cn
by * search
access to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com"
by dn.regex=".+,dc=example,dc=com" +c continue
by dn.subtree="dc=example,dc=com" +rs continue
by dn.children="dc=example,dc=com" +d continue
by * stop
#access to attrs=member,uniquemember dn.subtree="dc=example,dc=com"
access to attrs=member,uniquemember
by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" selfwrite
by dnattr=member selfwrite
by dnattr=uniquemember selfwrite
by * read
#access to attrs=member,uniquemember filter="(mail=*com)" dn.subtree="dc=example,dc=com"
access to attrs=member,uniquemember filter="(mail=*com)"
by * read
#access to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" dn.subtree="dc=example,dc=com"
access to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))"
by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" =sc continue
by dn.regex="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com$" +rw stop
by * break
access to dn.children="ou=Information Technology Division,ou=People,dc=example,dc=com"
by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write
by * read
access to dn.exact="cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com"
by set="[cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com]/member* & user" write
by * read
#access to filter="(name=X*Y*Z)" dn.subtree="dc=example,dc=com"
access to filter="(name=X*Y*Z)"
by * continue
access to dn.subtree="ou=Add & Delete,dc=example,dc=com"
by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
by dn.exact="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" delete
by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" write
by * read
# fall into global ACLs
database monitor
|