Table of Contents
Advertisement
Comparing the value of an attribute:
•
Grant compare permission on the attribute type.
Searching for entries:
•
Grant search permission on each attribute type used in the search filter.
•
Grant read permission on attribute types used in the entry.
The permissions you need to set up to allow users to search the directory are more
readily understood with an example. Consider the following
operation:
% ldapsearch -h host -s base -b
objectclass=* mail
The following ACI is used to determine whether user
access:
aci: (targetattr = "mail")(version 3.0; acl "self access to mail";
allow (read, search) userdn = "ldap:///self";)
The search result list is empty, because this ACI does not grant access to the
objectclass attribute. If you want the search operation described above to be
successful, you must modify the ACI to read as follows:
aci: (targetattr = "mail || objectclass")(version 3.0; acl "self
access to mail"; allow (read, search) userdn = "ldap:///self";)
Permissions Syntax
In an ACI statement, the syntax for permissions is:
allow|deny (rights)
where
is a list of 1 to 8 comma-separated keywords enclosed within
rights
parentheses. Valid keywords are
,
, or
selfwrite
proxy
In the following example, read, search, and compare access is allowed, provided
the bind rule is evaluated to be true:
aci:
(target="ldap:///dc=example,dc=com") (version 3.0;acl
"example";
allow (read, search, compare) bind_rule;)
"
uid=bkolics,dc=example,dc=com
,
read
write
.
all
ldapsearch
can be granted
bkolics
,
,
,
add
delete
search
Chapter 6
Managing Access Control
Creating ACIs Manually
"
,
,
compare
205
Advertisement
Table of Contents
