summaryrefslogtreecommitdiffstats
path: root/tests/data/slapd-acl.conf
blob: 63b8e08f15569278cfae5412c4eddc9a5fa1a418 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# provider slapd config -- for testing
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.

include		@SCHEMADIR@/core.schema
include		@SCHEMADIR@/cosine.schema
include		@SCHEMADIR@/inetorgperson.schema
include		@SCHEMADIR@/openldap.schema
include		@SCHEMADIR@/nis.schema
pidfile		@TESTDIR@/slapd.1.pid
argsfile	@TESTDIR@/slapd.1.args

# global ACLs
#
# normal installations should protect root dse, cn=monitor, cn=subschema
#

access		to dn.exact="" attrs=objectClass
		by users read
access		to *
		by * read

#mod#modulepath	../servers/slapd/back-@BACKEND@/
#mod#moduleload	back_@BACKEND@.la
#monitormod#modulepath ../servers/slapd/back-monitor/
#monitormod#moduleload back_monitor.la

#######################################################################
# database definitions
#######################################################################

database	@BACKEND@

suffix		"dc=example,dc=com"
rootdn		"cn=Manager,dc=example,dc=com"
rootpw		secret
#~null~#directory	@TESTDIR@/db.1.a
#indexdb#index		objectClass	eq
#indexdb#index		cn,sn,uid	pres,eq,sub
#ndb#dbname db_1
#ndb#include @DATADIR@/ndb.conf
add_content_acl	on
#access		to attrs=objectclass dn.subtree="dc=example,dc=com"
access		to attrs=objectclass
		by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
		by * =rsc stop

#access		to filter="(objectclass=person)" attrs=userpassword dn.subtree="dc=example,dc=com"
access		to filter="(objectclass=person)" attrs=userpassword
		by anonymous auth
		by self =wx

access		to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
			attrs=cn val="Mark A Elliot"
		by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
		by * break

access		to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
			attrs=cn val="Mark Elliot"
		by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
		by * break

access		to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
			attrs=cn
		by * search

access		to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
			attrs=cn val.regex="^John D.+"
		by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
		by * break

access		to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
			attrs=cn val.regex="^Jonath.+"
		by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
		by * break

access		to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
			attrs=cn
		by * search

access		to dn.onelevel="ou=Information Technology Division,ou=People,dc=example,dc=com"
			filter="(cn=*Jensen)"
			attrs=cn val.regex=".*Jensen$"
		by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
		by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
		by * break

access		to dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
			attrs=cn
		by * search

access		to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com"
		by dn.regex=".+,dc=example,dc=com" +c continue
		by dn.subtree="dc=example,dc=com" +rs continue
		by dn.children="dc=example,dc=com" +d continue
		by * stop

#access		to attrs=member,uniquemember dn.subtree="dc=example,dc=com"
access		to attrs=member,uniquemember
		by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" selfwrite
		by dnattr=member selfwrite
		by dnattr=uniquemember selfwrite
		by * read

#access		to attrs=member,uniquemember filter="(mail=*com)" dn.subtree="dc=example,dc=com"
access		to attrs=member,uniquemember filter="(mail=*com)"
		by * read

#access		to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" dn.subtree="dc=example,dc=com"
access		to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))"
		by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" =sc continue
		by dn.regex="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com$" +rw stop
		by * break

access		to dn.children="ou=Information Technology Division,ou=People,dc=example,dc=com"
		by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write
		by * read

access		to dn.exact="cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com"
		by set="[cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com]/member* & user" write
		by * read

#access		to filter="(name=X*Y*Z)" dn.subtree="dc=example,dc=com"
access		to filter="(name=X*Y*Z)"
		by * continue

access		to dn.subtree="ou=Add & Delete,dc=example,dc=com"
		by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
		by dn.exact="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" delete
		by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" write
		by * read

# fall into global ACLs

#monitor#database	monitor