6443N/A<?
xml version="1.0" encoding="UTF-8"?>
6443N/A ! This work is licensed under the Creative Commons 6443N/A ! Attribution-NonCommercial-NoDerivs 3.0 Unported License. 6443N/A ! To view a copy of this license, visit 6443N/A ! or send a letter to Creative Commons, 444 Castro Street, 6443N/A ! Suite 900, Mountain View, California, 94041, USA. 6443N/A ! You can also obtain a copy of the license at 6443N/A ! See the License for the specific language governing permissions 6443N/A ! and limitations under the License. 6443N/A ! If applicable, add the following below this CCPL HEADER, with the fields 6443N/A ! enclosed by brackets "[]" replaced with your own identifying information: 6443N/A ! Portions Copyright [yyyy] [name of copyright owner] 7049N/A ! Copyright 2011-2014 ForgeRock AS 6443N/A<
chapter xml:
id='chap-privileges-acis' 6443N/A <
title>Configuring Privileges & Access Control</
title>
6443N/A <
para>OpenDJ supports two mechanisms to protect access to the directory,
6443N/A <
firstterm>access control instructions</
firstterm> and
6443N/A <
firstterm>privileges</
firstterm>.</
para>
6443N/A <
para>Access control instructions apply to directory data, providing
6443N/A fine-grained control over what a user or group member is authorized to do in
6443N/A terms of LDAP operations. Most access control instructions specify scopes
6443N/A (targets) to which they apply such that an administrative user who has all
6443N/A access to <
literal>dc=example,dc=com</
literal> need not have any access to
6443N/A <
literal>dc=example,dc=org</
literal>.</
para>
6443N/A <
para>Privileges control the administrative tasks that users can perform,
6443N/A such as bypassing the access control mechanism, performing backup and restore
6443N/A operations, making changes to the configuration, and so forth. Privileges are
6443N/A implemented independently from access control. By default, privileges restrict
6443N/A administrative access to directory root users, though any user can be assigned
6443N/A a privilege. Privileges apply to a directory server, and do not have a
6443N/A <
para>Some operations require both privileges and also access control
6443N/A instructions. For example, in order to reset user's passwords, an administrator
6443N/A needs both the <
literal>password-reset</
literal> privilege and also access
6443N/A control to write <
literal>userPassword</
literal> values on the user entries.
6443N/A By combining an access control instruction with a privilege, you can
6443N/A effectively restrict the scope of that privilege to a particular branch of
6443N/A the Directory Information Tree.</
para>
6443N/A <
para>This chapter covers both access control instructions and privileges,
6443N/A demonstrating how to configure both.</
para>
6443N/A <
section xml:
id="about-acis">
6443N/A <
title>About Access Control Instructions</
title>
6443N/A <
indexterm><
primary>Access control</
primary></
indexterm>
6443N/A <
para>OpenDJ directory server access control instructions (ACIs) exist as
6443N/A operational <
literal>aci</
literal> attribute values on directory entries, and
6443N/A as global ACIs stored in the configuration. ACIs apply to a scope defined in
6443N/A the instruction, and set permissions that depend on what operation is
6443N/A requested, who requested the operation, and how the client connected to the
6443N/A <
para>For example, the ACIs on the following entry allow anonymous read
6443N/A access to all attributes except passwords, and allow read-write access
6443N/A for directory administrators under <
literal>dc=example,dc=com</
literal>.</
para>
6443N/A <
programlisting language="ldif">dn: dc=example,dc=com
6443N/Aaci: (target ="ldap:///dc=example,dc=com")(targetattr !=
6443N/A "userPassword")(version 3.0;acl "Anonymous read-search access";
6443N/A allow (read, search, compare)(userdn = "ldap:///anyone");)
6443N/Aaci: (target="ldap:///dc=example,dc=com") (targetattr =
6443N/A "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn =
6443N/A "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
6443N/A <
para>OpenDJ directory server's default behavior is that no access is allowed
6443N/A unless it is specifically granted by an access control instruction. In
6443N/A addition privileges assigned to certain users such as <
literal>cn=Directory
6443N/A Manager</
literal> allow them to bypass access control checks.</
para>
6443N/A <
para>OpenDJ directory server provides several global ACIs out of the box to
6443N/A facilitate evaluation while maintaining a reasonable security policy. By
6443N/A default users are allow to read the root DSE, to read the schema, to use
6443N/A certain controls and extended operations, to modify their own entries, to
6443N/A bind, and so forth. Global ACIs are defined on the access control handler,
6443N/A and apply to the entire directory server. You must adjust the default global
6443N/A ACIs to match the security policies for your organization, for example to
6443N/A restrict anonymous access.</
para>
6443N/A <
para>ACI attribute values use a specific language described in this section.
6443N/A Although ACI attribute values can become difficult to read in LDIF, the
6443N/A basic syntax is simple.</
para>
6443N/A <
literallayout class="monospaced"><
replaceable 6443N/A >targets</
replaceable>(version 3.0;acl "<
replaceable 6443N/A >name</
replaceable>";<
replaceable>permissions</
replaceable> <
replaceable 6443N/A >subjects</
replaceable>;)</
literallayout>
6443N/A <
para>The following list briefly explains the variables in the syntax above.</
para>
6443N/A <
term><
replaceable>targets</
replaceable></
term>
6443N/A <
para>The <
replaceable>targets</
replaceable> specifies entries, attributes,
6443N/A controls, and extended operations to which the ACI applies.</
para>
6443N/A <
para>To include multiple <
replaceable>targets</
replaceable>, enclose
6443N/A each individual target in parentheses, (). When you specify multiple
6443N/A targets, all targets must match for the ACI to apply
6443N/A (<
literal>AND</
literal>).</
para>
6443N/A <
term><
replaceable>name</
replaceable></
term>
6443N/A <
para>Supplies a human-readable description of what the ACI does.</
para>
6443N/A <
term><
replaceable>permissions</
replaceable></
term>
6443N/A <
para>Defines which actions to allow, and which to deny. Paired with
6443N/A <
replaceable>subjects</
replaceable>.</
para>
6443N/A <
term><
replaceable>subjects</
replaceable></
term>
6443N/A <
para>Identify clients to which the ACI applies depending on
6443N/A who connected, and when, where, and how they connected. Paired with
6443N/A <
replaceable>permissions</
replaceable>.</
para>
6443N/A <
para>Separate multiple pairs of <
replaceable>permissions</
replaceable>
6443N/A <
replaceable>subjects</
replaceable> definitions with semicolons, ;. When you
6443N/A specify multiple permissions-subjects pairs, at least one must match
6443N/A (<
literal>OR</
literal>).</
para>
6443N/A <
section xml:
id="aci-targets">
6443N/A <
primary>Access control</
primary>
6443N/A <
secondary>Targets</
secondary>
6443N/A <
para>The seven types of ACI targets identify the objects to which the ACI
6443N/A <
term><
literal>(target = "ldap:///<
replaceable>DN</
replaceable>")</
literal></
term>
6443N/A <
term><
literal>(target != "ldap:///<
replaceable>DN</
replaceable>")</
literal></
term>
6443N/A <
para>Sets the scope to the entry with distinguished name
6443N/A <
replaceable>DN</
replaceable>, and to child entries.</
para>
6443N/A <
para>You can use asterisks, *, to replace attribute types, attribute
6443N/A values, and entire DN components. In other words, the following
6443N/A <
literal>uid=bjensen,ou=People,dc=example,dc=com</
literal> and also
6443N/A <
literal>cn=Frank Zappa,ou=Musicians,dc=example,dc=com</
literal>.</
para>
6443N/A <
programlisting language="aci">(target = "ldap:///*=*,*,dc=example,dc=com")</
programlisting>
6443N/A <
para>The <
replaceable>DN</
replaceable> must be in the subtree of the
6443N/A entry on which the ACI is defined.</
para>
6443N/A <
para>If you do not specify <
literal>target</
literal>, then the entry
6443N/A holding this ACI will be affected. If <
literal>targetscope</
literal> is
6443N/A also omitted, then this entry and all subordinates will be affected.</
para>
6443N/A <
term><
literal>(targetattr = "<
replaceable>attr-list</
replaceable>")</
literal></
term>
6443N/A <
term><
literal>(targetattr != "<
replaceable>attr-list</
replaceable>")</
literal></
term>
6443N/A <
para>Replace <
replaceable>attr-list</
replaceable> with a list of
6443N/A attribute type names, such as <
literal>userPassword</
literal>, separating
6443N/A multiple attribute type names with ||.</
para>
6443N/A <
para>This specification affects the entry where the ACI is located, or
6443N/A the entries specified by other targets in the ACI.</
para>
6545N/A <
para>You can use an asterisk, *, to specify all user attributes, although
6545N/A you will see better performance when explicitly including or excluding
6545N/A attribute types needed. You can use a plus, +, to specify all operational
6545N/A <
para>Note that a negated <
replaceable>attr-list</
replaceable> of
6545N/A operational attributes will only match other operational attributes and
6545N/A never any user attributes, and vice-versa.</
para>
6443N/A <
para>If you do not include this target specification, then by default
6443N/A no attributes are affected by the ACI.</
para>
6443N/A <
term><
literal>(targetfilter = "<
replaceable>ldap-filter</
replaceable>")</
literal></
term>
6443N/A <
term><
literal>(targetfilter != "<
replaceable>ldap-filter</
replaceable>")</
literal></
term>
6443N/A <
para>Sets the scope to match the <
replaceable>ldap-filter</
replaceable>
6443N/A dynamically, as in an LDAP search. The
6443N/A <
replaceable>ldap-filter</
replaceable> can be any valid LDAP filter.</
para>
6443N/A <
term><
literal>(targattrfilters = "<
replaceable>expression</
replaceable>")</
literal></
term>
6443N/A <
term><
literal>(targattrfilters != "<
replaceable>expression</
replaceable>")</
literal></
term>
6443N/A <
para>Use this target specification when managing changes made to
6443N/A particular attributes.</
para>
6443N/A <
para>Here <
replaceable>expression</
replaceable> takes one of the
6443N/A following forms. Separate expressions with semicolons, ;.</
para>
6443N/A <
literallayout class="monospaced"><
replaceable 6443N/A >op</
replaceable>=<
replaceable>attr1</
replaceable>:<
replaceable 6443N/A >filter1</
replaceable>[&& <
replaceable 6443N/A >attr2</
replaceable>:<
replaceable>filter2</
replaceable> …][;<
replaceable 6443N/A >op</
replaceable>=<
replaceable>attr3</
replaceable>:<
replaceable 6443N/A >filter3</
replaceable>[&& <
replaceable 6443N/A >attr4</
replaceable>:<
replaceable>filter4</
replaceable> …] …]</
literallayout>
6443N/A <
para>Here <
replaceable>op</
replaceable> can be either
6443N/A <
literal>add</
literal> for operations creating attributes, or
6443N/A <
literal>delete</
literal> for operations removing them.
6443N/A Replace <
replaceable>attr</
replaceable> with an attribute type.
6443N/A Replace <
replaceable>filter</
replaceable> with an LDAP filter that
6443N/A corresponds to the <
replaceable>attr</
replaceable> attribute type.</
para>
6443N/A <
term><
literal>(targetscope = "base|onelevel|subtree|subordinate")</
literal></
term>
6443N/A <
para>Here <
literal>base</
literal> refers to the entry where the ACI is
6443N/A defined, <
literal>onelevel</
literal> to immediate children,
6443N/A <
literal>subtree</
literal> to the base entry and all children, and
6443N/A <
literal>subordinate</
literal> to all children only.</
para>
6443N/A <
para>If you do not specify <
literal>targetscope</
literal>, then the
6443N/A default is <
literal>subtree</
literal>.</
para>
6443N/A <
term><
literal>(targetcontrol = "<
replaceable>OID</
replaceable>")</
literal></
term>
6443N/A <
term><
literal>(targetcontrol != "<
replaceable>OID</
replaceable>")</
literal></
term>
6443N/A <
para>Replace <
replaceable>OID</
replaceable> with the object identifier
6443N/A for the LDAP control to target. Separate multiple OIDs with ||.</
para>
6443N/A <
para>This target cannot be restricted to a specific subtree by combining
6443N/A it with another target.</
para>
6443N/A <
term><
literal>(extop = "<
replaceable>OID</
replaceable>")</
literal></
term>
6443N/A <
term><
literal>(extop != "<
replaceable>OID</
replaceable>")</
literal></
term>
6443N/A <
para>Replace <
replaceable>OID</
replaceable> with the object identifier
6443N/A for the extended operation to target. Separate multiple OIDs with ||.</
para>
6443N/A <
para>This target cannot be restricted to a specific subtree by combining
6443N/A it with another target.</
para>
6443N/A <
section xml:
id="aci-permissions">
6443N/A <
title>ACI Permissions</
title>
6443N/A <
primary>Access control</
primary>
6443N/A <
secondary>Permissions</
secondary>
6443N/A <
para>ACI permission definitions take one of the following forms.</
para>
6443N/A <
literallayout class="monospaced">allow(<
replaceable 6443N/A >action</
replaceable>[, <
replaceable>action</
replaceable> …])</
literallayout>
6443N/A <
literallayout class="monospaced">deny(<
replaceable 6443N/A >action</
replaceable>[, <
replaceable>action</
replaceable> …])</
literallayout>
6443N/A <
para>Although <
literal>deny</
literal> is supported, avoid restricting
6443N/A permissions by using <
literal>deny</
literal>. Instead, explicitly
6443N/A <
literal>allow</
literal> access only where needed. What looks harmless and
6443N/A simple in your lab examples can grow difficult to maintain in a real-world
6443N/A deployment with nested ACIs.</
para>
6443N/A <
para>Replace <
replaceable>action</
replaceable> with one of the following.</
para>
6443N/A <
term><
literal>add</
literal></
term>
6443N/A <
para>Entry creation, as for an LDAP add operation</
para>
6443N/A <
term><
literal>all</
literal></
term>
6443N/A <
para>All permissions, except <
literal>export</
literal>,
6443N/A <
literal>import</
literal>, <
literal>proxy</
literal></
para>
6443N/A <
term><
literal>compare</
literal></
term>
6443N/A <
para>Attribute value comparison, as for an LDAP compare operation</
para>
6443N/A <
term><
literal>delete</
literal></
term>
6443N/A <
para>Entry deletion, as for an LDAP delete operation</
para>
6443N/A <
term><
literal>export</
literal></
term>
6443N/A <
para>Entry export during a modify DN operation.</
para>
6443N/A <
para>Despite the name, this action is unrelated to LDIF export
6443N/A <
term><
literal>import</
literal></
term>
6443N/A <
para>Entry import during a modify DN operation.</
para>
6443N/A <
para>Despite the name, this action is unrelated to LDIF import
6443N/A <
term><
literal>proxy</
literal></
term>
6443N/A <
para>Access the ACI target using the rights of another user</
para>
6443N/A <
term><
literal>read</
literal></
term>
6443N/A <
para>Read entries and attributes</
para>
6443N/A <
term><
literal>search</
literal></
term>
6443N/A <
para>Search the ACI targets. Needs to be combine with
6443N/A <
literal>read</
literal> in order to read the search results.</
para>
6443N/A <
term><
literal>selfwrite</
literal></
term>
6443N/A <
para>Add or delete own DN from a group</
para>
6443N/A <
term><
literal>write</
literal></
term>
6443N/A <
para>Modify attributes on ACI target entries</
para>
6443N/A <
section xml:
id="aci-subjects">
6443N/A <
title>ACI Subjects</
title>
6443N/A <
primary>Access control</
primary>
6443N/A <
secondary>Subjects</
secondary>
6443N/A <
para>ACI subjects match characteristics of the client connection to the
6443N/A server. Use subjects to restrict whether the ACI applies depending on who
6443N/A connected, and when, where, and how they connected.</
para>
6443N/A <
term><
literal>authmethod = "none|simple|ssl|sasl <
replaceable 6443N/A >mech</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>authmethod != "none|simple|ssl|sasl <
replaceable 6443N/A >mech</
replaceable>"</
literal></
term>
6443N/A <
para>Here you use <
literal>none</
literal> to mean do not check,
6443N/A <
literal>simple</
literal> for simple authentication,
6443N/A <
literal>ssl</
literal> for certificate-based authentication over LDAPS,
6443N/A <
literal>sasl <
replaceable>mech</
replaceable></
literal> for
6443N/A SASL where <
replaceable>mech</
replaceable> is DIGEST-MD5, EXTERNAL, or
6443N/A <
term><
literal>dayofweek = "<
replaceable>day</
replaceable>[, <
replaceable 6443N/A >day</
replaceable> …]"</
literal></
term>
6443N/A <
term><
literal>dayofweek != "<
replaceable>day</
replaceable>[, <
replaceable 6443N/A >day</
replaceable> …]"</
literal></
term>
6443N/A <
para>Replace <
replaceable>day</
replaceable> with one of
6443N/A <
literal>sun</
literal>, <
literal>mon</
literal>, <
literal>tue</
literal>,
6443N/A <
literal>wed</
literal>, <
literal>thu</
literal>, <
literal>fri</
literal>,
6443N/A <
literal>sat</
literal>.</
para>
6443N/A <
term><
literal>dns = "<
replaceable>hostname</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>dns != "<
replaceable>hostname</
replaceable>"</
literal></
term>
6443N/A <
para>You can use asterisks, *, to replace name components, such as
6443N/A <
term><
literal>groupdn = "ldap:///<
replaceable 6443N/A >DN</
replaceable>[|| ldap:///<
replaceable>DN</
replaceable> …]"</
literal></
term>
6443N/A <
term><
literal>groupdn != "ldap:///<
replaceable 6443N/A >DN</
replaceable>[|| ldap:///<
replaceable>DN</
replaceable> …]"</
literal></
term>
6443N/A <
para>Replace <
replaceable>DN</
replaceable> with the distinguished name
6443N/A of a group to permit or restrict access for members.</
para>
6443N/A <
term><
literal>ip = "<
replaceable>addresses</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>ip != "<
replaceable>addresses</
replaceable>"</
literal></
term>
6443N/A <
para>Here <
replaceable>addresses</
replaceable> can be specified for
6443N/A IPv4 or IPv6. IPv6 addresses are specified in brackets as
6443N/A <
literal>ldap://[<
replaceable>address</
replaceable>]/<
replaceable 6443N/A >subnet-prefix</
replaceable></
literal>
6443N/A where /<
replaceable>subnet-prefix</
replaceable> is optional.
6443N/A You can specify individual IPv4 addresses, addresses with asterisks (*) to
6443N/A replace subnets and host numbers, CIDR notation, and forms such as
6443N/A <
literal>192.168.0.*+255.255.255.0</
literal> to specify subnet masks.</
para>
6443N/A <
term><
literal>ssf = "<
replaceable>strength</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>ssf != "<
replaceable>strength</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>ssf > "<
replaceable>strength</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>ssf >= "<
replaceable>strength</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>ssf < "<
replaceable>strength</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>ssf <= "<
replaceable>strength</
replaceable>"</
literal></
term>
6443N/A <
para>Here the security strength factor pertains to the cipher key
6443N/A strength for connections using DIGEST-MD5, GSSAPI, SSL, or TLS. For
6443N/A example, to require that the connection must have at least 128 bits
6443N/A of encryption, specify <
literal>ssf >= 128</
literal>.</
para>
6443N/A <
term><
literal>timeofday = "<
replaceable>hhmm</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>timeofday != "<
replaceable>hhmm</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>timeofday > "<
replaceable>hhmm</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>timeofday >= "<
replaceable>hhmm</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>timeofday < "<
replaceable>hhmm</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>timeofday <= "<
replaceable>hhmm</
replaceable>"</
literal></
term>
6443N/A <
para>Here <
replaceable>hhmm</
replaceable> is expressed as on a 24-hour
6443N/A clock. For example, 1:15 PM is written <
literal>1315</
literal>.</
para>
6443N/A <
term><
literal>userattr = "<
replaceable>attr</
replaceable>#<
replaceable 6443N/A >value</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>userattr != "<
replaceable>attr</
replaceable>#<
replaceable 6443N/A >value</
replaceable>"</
literal></
term>
6443N/A <
term><
literal>userattr = <
replaceable 6443N/A >ldap-url</
replaceable>#LDAPURL"</
literal></
term>
6443N/A <
term><
literal>userattr != <
replaceable 6443N/A >ldap-url</
replaceable>#LDAPURL"</
literal></
term>
6443N/A <
term><
literal>userattr = "[parent[<
replaceable 6443N/A >child-level</
replaceable>]. ]<
replaceable>attr</
replaceable 6443N/A >#GROUPDN|USERDN"</
literal></
term>
6443N/A <
term><
literal>userattr != "[parent[<
replaceable 6443N/A >child-level</
replaceable>]. ]<
replaceable>attr</
replaceable 6443N/A >#GROUPDN|USERDN"</
literal></
term>
6443N/A <
para>The <
literal>userattr</
literal> subject specifies an attribute
6443N/A that must match on both the bind entry and the target of the ACI.</
para>
6443N/A <
para>To match when the attribute on the bind DN entry corresponds
6443N/A directly to the attribute on the target entry, replace
6443N/A <
replaceable>attr</
replaceable> with the attribute type, and
6443N/A <
replaceable>value</
replaceable> with the attribute value.</
para>
6443N/A <
para>To match when the target entry is identified by an LDAP URL, and
6443N/A the bind DN is in the subtree of the DN of the LDAP URL, use
6443N/A <
replaceable>ldap-url</
replaceable>#LDAPURL.</
para>
6443N/A <
para>To match when the bind DN corresponds to a member of the group
6443N/A identified by the <
replaceable>attr</
replaceable> value on the target
6443N/A entry, use <
replaceable>attr</
replaceable>#GROUPDN.</
para>
6443N/A <
para>To match when the bind DN corresponds to the
6443N/A <
replaceable>attr</
replaceable> value on the target entry, use
6443N/A <
replaceable>attr</
replaceable>#USERDN.</
para>
6443N/A <
para>The optional inheritance specification,
6443N/A <
literal>parent[<
replaceable>child-level</
replaceable>].</
literal>, lets
6443N/A you specify how many levels below the target entry inherit the ACI.
6443N/A Here <
replaceable>child-level</
replaceable> is a number from 0 to 9, with
6443N/A 0 indicating the target entry only. Separate multiple
6443N/A <
replaceable>child-level</
replaceable> digits with commas (,).</
para>
6443N/A <
term><
literal>userdn = "<
replaceable>ldap-url++</
replaceable>[|| <
replaceable 6443N/A >ldap-url++</
replaceable> …]"</
literal></
term>
6443N/A <
term><
literal>userdn != "<
replaceable>ldap-url++</
replaceable>[|| <
replaceable 6443N/A >ldap-url++</
replaceable> …]"</
literal></
term>
6443N/A <
para>To match the bind DN, replace <
replaceable>ldap-url++</
replaceable>
6443N/A with either a valid LDAP URL such as
6443N/A <
literal>ldap:///uid=bjensen,ou=People,dc=example,dc=com</
literal>,
6443N/A <
literal>ldap:///dc=example,dc=com??sub?(uid=bjensen)</
literal>,
6443N/A or a special LDAP URL-like keyword from the following list.</
para>
6443N/A <
term><
literal>ldap:///all</
literal></
term>
6443N/A <
para>Match authenticated users.</
para>
6443N/A <
term><
literal>ldap:///anyone</
literal></
term>
6443N/A <
para>Match anonymous and authenticated users.</
para>
6443N/A <
term><
literal>ldap:///parent</
literal></
term>
6443N/A <
para>Match when the bind DN is a parent of the ACI target.</
para>
6443N/A <
term><
literal>ldap:///self</
literal></
term>
6443N/A <
para>Match when the bind DN entry corresponds to ACI target.</
para>
6443N/A <
section xml:
id="aci-evaluation">
6443N/A <
title>How ACI is Evaluated</
title>
6443N/A <
primary>Access control</
primary>
6443N/A <
secondary>Evaluation</
secondary>
6443N/A <
para>Understanding how OpenDJ evaluates the aci values is critical when
6443N/A implementing an access control policy. The rules the server follows are
6443N/A <
para>To determine if an operation is allowed or denied, the OpenDJ server
6443N/A looks in the directory for the target of the operation. It collects any aci
6443N/A values from that entry, and then walks up the directory tree to the suffix,
6443N/A collecting all aci values en route. Global aci values are then collected.</
para>
6443N/A <
para>It then separates the aci values into two lists; one list contains
6443N/A all the aci values that matches the target and denies the required access,
6443N/A and the other list contains all the aci values that matches the target and
6443N/A allows the required access.</
para>
6443N/A <
para>If the deny list contains any aci values after this procedure, access
6443N/A will be immediately denied.</
para>
6443N/A <
para>If the deny list is empty, then the allow list is processed. If the
6443N/A allow list contains any aci values, access will be allowed.</
para>
6443N/A <
para>If both lists are empty, access will be denied.</
para>
6443N/A <
para>Some operations require multiple permissions and involve multiple
6443N/A targets. Evaluation will therefore take place multiple times. For example a
6443N/A search operation requires the <
literal>search</
literal> permission for each
6443N/A attribute in the search filter. If all those are allowed, the
6443N/A <
literal>read</
literal> permission is used to decide what attributes and
6443N/A values can be returned.</
para>
6443N/A <
section xml:
id="aci-required">
6443N/A <
title>ACI Required For LDAP Operations</
title>
6443N/A <
primary>Access control</
primary>
6443N/A <
secondary>Operations</
secondary>
6443N/A <
para>The minimal access control information required for specific LDAP
6443N/A operations is described here.</
para>
6443N/A <
para>The ACI must allow the <
literal>add</
literal> permission to entries
6443N/A in the target. This implicitly allows the attributes and values to be set.
6545N/A Use <
literal>targattrfilters</
literal> to explicitly deny access to any
6443N/A <
para>For example, the ACI required to allow
6443N/A <
literal>uid=bjensen,ou=People,dc=example,dc=com</
literal> to add an entry
6443N/A <
programlisting language="ldif">aci: (version 3.0;acl "Add entry"; allow (add)(userdn =
6443N/A "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
6443N/A <
para>Because this is used to establish the user's identity and derived
6443N/A authorizations, ACI is irrelevant for this operation and is not checked.
6443N/A disable the account instead. For more information see <
link 6443N/A xlink:
href="admin-guide#manage-accounts" 6443N/A Accounts Manually</
citetitle></
link>.</
para>
6443N/A <
para>The ACI must allow the <
literal>compare</
literal> permission to the
6443N/A attribute in the target entry.</
para>
6443N/A <
para>For example, the ACI required to allow
6443N/A <
literal>uid=bjensen,ou=People,dc=example,dc=com</
literal> to compare
6443N/A values against the <
literal>sn</
literal> attribute is:</
para>
6443N/A <
programlisting language="ldif">aci: (targetattr = "sn")(version 3.0;acl "Compare surname";
6443N/A "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
6443N/A <
para>The ACI must allow the <
literal>delete</
literal> permission to the
6443N/A target entry. This implicitly allows the attributes and values in the
6545N/A target to be deleted. Use <
literal>targattrfilters</
literal> to
6443N/A explicitly deny access to the values if required.</
para>
6443N/A <
para>For example, the ACI required to allow
6443N/A <
literal>uid=bjensen,ou=People,dc=example,dc=com</
literal> to delete an
6443N/A <
programlisting language="ldif">aci: (version 3.0;acl "Delete entry"; allow (delete)
6443N/A (userdn = "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
6443N/A <
para>The ACI must allow the <
literal>write</
literal> permission to
6443N/A attributes in the target entries. This implicitly allows all
6443N/A values in the target attribute to be modified. Use
6545N/A <
literal>targattrfilters</
literal> to explicitly deny access to specific
6443N/A <
para>For example, the ACI required to allow
6443N/A <
literal>uid=bjensen,ou=People,dc=example,dc=com</
literal> to modify the
6443N/A <
literal>description</
literal> attribute in an entry is:</
para>
6443N/A <
programlisting language="ldif">aci: (targetattr = "description")(version 3.0;
6443N/A acl "Modify description"; allow (write)(userdn =
6443N/A "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
6443N/A <
para>If the entry is being moved to a <
literal>newSuperior</
literal>, the
6443N/A <
literal>export</
literal> permission must be allowed on the target, and
6443N/A the <
literal>import</
literal> permission must be allowed on the
6443N/A <
literal>newSuperior</
literal> entry.</
para>
6443N/A <
para>The ACI must allow <
literal>write</
literal> permission to the
6443N/A attributes in the old RDN and the new RDN. All values of the old RDN and
6443N/A new RDN can be written implicitly; use
6545N/A <
literal>targattrfilters</
literal> to explicitly deny access to values
6443N/A <
para>For example, the ACI required to allow
6443N/A <
literal>uid=bjensen,ou=People,dc=example,dc=com</
literal> to rename
6443N/A entries named with the <
literal>uid</
literal> attribute to new
6443N/A <
programlisting language="ldif">aci: (targetattr = "uid")(version 3.0;acl "Rename uid= entries";
6443N/A allow (write, import, export)(userdn =
6443N/A "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
6443N/A <
para>ACI is required to process the search filter, and to determine what
6443N/A attributes and values may be returned in the results. The
6443N/A <
literal>search</
literal> permission is used to allow particular
6443N/A attributes in the search filter. The <
literal>read</
literal> permission is
6443N/A used to allow particular attributes to be returned. If
6443N/A <
literal>read</
literal> permission is allowed to any attribute, the
6443N/A server will automatically allow the <
literal>objectClass</
literal>
6545N/A attribute to also be read.</
para>
6443N/A <
para>For example, the ACI required to allow
6443N/A <
literal>uid=bjensen,ou=People,dc=example,dc=com</
literal> to search for
6443N/A <
literal>uid</
literal> attributes, and also to read that attribute in
6443N/A matching entries is:</
para>
6443N/A <
programlisting language="ldif">aci: (targetattr = "uid")(version 3.0;acl "Search and read uid";
6443N/A allow (search, read)(userdn =
6443N/A "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
6443N/A <
section xml:
id="about-privileges">
6443N/A <
title>About Privileges</
title>
6443N/A <
indexterm><
primary>Privileges</
primary></
indexterm>
6443N/A <
para>Privileges provide access control for server administration
6443N/A independently from access control instructions.</
para>
6443N/A <
para>Directory root users, such as <
literal>cn=Directory Manager</
literal>,
6443N/A are granted privileges in the following list and marked with an asterisk (*)
6443N/A by default. Other administrator users can be assigned privileges, too.</
para>
6443N/A <
term><
literal>backend-backup</
literal>*</
term>
6443N/A <
para>Request a task to backup data</
para>
6443N/A <
term><
literal>backend-restore</
literal>*</
term>
6443N/A <
para>Request a task to restore data from backup</
para>
6443N/A <
term><
literal>bypass-acl</
literal>*</
term>
6443N/A <
para>Perform operations without regard to ACIs</
para>
6443N/A <
term><
literal>bypass-lockdown</
literal>*</
term>
6443N/A <
para>Perform operations without regard to lockdown mode</
para>
6443N/A <
term><
literal>cancel-request</
literal>*</
term>
6443N/A <
para>Cancel any client request</
para>
6443N/A <
term><
literal>config-read</
literal>*</
term>
6443N/A <
para>Read the server configuration</
para>
6443N/A <
term><
literal>config-write</
literal>*</
term>
6443N/A <
para>Change the server configuration</
para>
6443N/A <
term><
literal>data-sync</
literal></
term>
6443N/A <
para>Perform data synchronization</
para>
6443N/A <
term><
literal>disconnect-client</
literal>*</
term>
6443N/A <
para>Close any client connection</
para>
6443N/A <
term><
literal>jmx-notify</
literal></
term>
6443N/A <
para>Subscribe to JMX notifications</
para>
6443N/A <
term><
literal>jmx-read</
literal></
term>
6443N/A <
para>Read JMX attribute values</
para>
6443N/A <
term><
literal>jmx-write</
literal></
term>
6443N/A <
para>Write JMX attribute values</
para>
6443N/A <
term><
literal>ldif-export</
literal>*</
term>
6443N/A <
para>Export data to LDIF</
para>
6443N/A <
term><
literal>ldif-import</
literal>*</
term>
6443N/A <
para>Import data from LDIF</
para>
6443N/A <
term><
literal>modify-acl</
literal>*</
term>
6443N/A <
term><
literal>password-reset</
literal>*</
term>
6443N/A <
para>Reset other users' passwords</
para>
6443N/A <
term><
literal>privilege-change</
literal>*</
term>
6443N/A <
para>Change the privileges assigned to users</
para>
6443N/A <
term><
literal>proxied-auth</
literal></
term>
6443N/A <
para>Use the Proxied Authorization control</
para>
6443N/A <
term><
literal>server-lockdown</
literal>*</
term>
6443N/A <
para>Put OpenDJ into, and take OpenDJ out of, lockdown mode</
para>
6443N/A <
term><
literal>server-restart</
literal>*</
term>
6443N/A <
para>Request a task to restart the server</
para>
6443N/A <
term><
literal>server-shutdown</
literal>*</
term>
6443N/A <
para>Request a task to stop the server</
para>
6443N/A <
term><
literal>subentry-write</
literal>*</
term>
6443N/A <
para>Perform LDAP subentry write operations</
para>
6443N/A <
term><
literal>unindexed-search</
literal>*</
term>
6443N/A <
para>Search using a filter with no correponding index</
para>
6443N/A <
term><
literal>update-schema</
literal>*</
term>
6443N/A <
para>Change OpenDJ schema definitions</
para>
6443N/A <
para>* = default directory root user privileges</
para>
6443N/A <
section xml:
id="configure-privileges">
6443N/A <
title>Configuring Privileges</
title>
6443N/A <
para>For root directory administrators, by default <
literal>cn=Directory
6443N/A Manager</
literal>, you configure privileges using the
6443N/A <
command>dsconfig</
command> command.</
para>
6443N/A <
para>For non-root directory administrators, you add privileges with
6443N/A the <
command>ldapmodify</
command> command.</
para>
6443N/A <
procedure xml:
id="change-root-dn-privileges">
6443N/A <
title>To Change Root DN Privileges</
title>
6443N/A <
para>Start <
command>dsconfig</
command> in interactive mode.</
para>
6443N/A --bindDN "cn=Directory Manager"
6443N/A --bindPassword password</
screen>
6443N/A <
para>Select the Root DN menu.</
para>
6443N/A <
para>Select View and edit the Root DN.</
para>
6443N/A <
para>Edit the <
literal>default-root-privilege-name</
literal>.</
para>
6443N/A <
para>Make sure you apply the changes when finished.</
para>
6443N/A <
procedure xml:
id="change-individual-privileges">
6443N/A <
title>To Add Privileges on an Individual Entry</
title>
6443N/A <
para>Privileges are specified using the <
literal>ds-privilege-name</
literal>
6443N/A operational attribute, which you can change on the command-line using
6443N/A <
command>ldapmodify</
command>.</
para>
6443N/A <
para>Determine the privileges to add.</
para>
6443N/Adn: uid=kvaughan,ou=People,dc=example,dc=com
6443N/Ads-privilege-name: config-read
6443N/Ads-privilege-name: password-reset
6443N/A <
para>This example lets the user read the server configuration, and reset
6443N/A user passwords. In order for the user to be able to change a user password,
6443N/A you must also allow the modification using ACIs. For this example, Kirsten
6443N/A and already has access to modify user entries.</
para>
6443N/A <
para>Prior to having the privileges, Kirsten gets messages about
6443N/A insufficent access when trying to read the server configuration, or
6443N/A reset a user password.</
para>
6443N/A --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
6443N/AResult Code: 50 (Insufficient Access Rights)
6443N/AAdditional Information: You do not have sufficient privileges to perform
6443N/A search operations in the Directory Server configuration
6443N/A --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
6443N/A --authzID "dn:uid=scarter,ou=People,dc=example,dc=com"
6443N/AThe LDAP password modify operation failed with result code 50
6443N/AError Message: You do not have sufficient privileges to perform password
6443N/A <
para>Apply the change as a user with the
6443N/A <
literal>privilege-change</
literal> privilege.</
para>
6443N/A --bindDN "cn=Directory Manager"
6443N/AProcessing MODIFY request for uid=kvaughan,ou=People,dc=example,dc=com
6443N/AMODIFY operation successful for DN uid=kvaughan,ou=People,dc=example,dc=com</
screen>
6443N/A <
para>At this point, Kirsten can perform the operations requiring
6443N/A --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
6443N/Ads-cfg-return-bind-error-messages: false
6443N/Ads-cfg-default-password-policy: cn=Default Password Policy,cn=Password Policies,
6443N/A --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
6443N/A --authzID "dn:uid=scarter,ou=People,dc=example,dc=com"
6443N/AThe LDAP password modify operation was successful</
screen>
6443N/A <
procedure xml:
id="change-group-privileges">
6443N/A <
title>To Add Privileges For a Group of Administrators</
title>
6443N/A <
para>For deployments with more than one administrator, you no doubt use
6443N/A a group to define adminstrative rights. You can use a collective attribute
6443N/A subentry to specify privileges for the administrator group.</
para>
6443N/A <
para>Collective attributes provide a standard mechanism for defining
6443N/A attributes that appear on all the entries in a particular subtree. OpenDJ
6443N/A extends collective attributes to give you fine-grained control over the
6443N/A which entries in the subtree are targetted. Also, OpenDJ lets you use
6443N/A virtual attributes, such as <
literal>isMemberOf</
literal> to construct the
6443N/A filter for targetting entries to which the collective attributes apply. This
6443N/A allows you, for example, to define administrative privileges that apply to
6443N/A all users who belong to an administrator group.</
para>
6443N/A <
para>Create an LDAP subentry that specifies the collective attributes.</
para>
6443N/Adn: cn=Administrator Privileges,dc=example,dc=com
6443N/AobjectClass: collectiveAttributeSubentry
6443N/AobjectClass: extensibleObject
6443N/Acn: Administrator Privileges
6443N/Ads-privilege-name;collective: config-read
6443N/Ads-privilege-name;collective: config-write
6443N/Ads-privilege-name;collective: ldif-export
6443N/Ads-privilege-name;collective: modify-acl
6443N/Ads-privilege-name;collective: password-reset
6443N/Ads-privilege-name;collective: proxied-auth
6443N/AsubtreeSpecification: {base "ou=people", specificationFilter
6443N/A "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
6443N/A --bindDN "cn=Directory Manager"
6443N/AProcessing ADD request for cn=Administrator Privileges,dc=example,dc=com
6443N/AADD operation successful for DN cn=Administrator Privileges,dc=example,dc=com</
screen>
6443N/A like Kirsten Vaughan.</
para>
6443N/A <
para>Observe that the change takes effect immediately.</
para>
6443N/A <
screen>$ ldappasswordmodify
6443N/A --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
6443N/A --authzID "dn:uid=scarter,ou=People,dc=example,dc=com"
6443N/AThe LDAP password modify operation was successful</
screen>
6443N/A <
section xml:
id="configure-acis">
6443N/A <
title>Configuring Access Control</
title>
6443N/A <
primary>Access control</
primary>
6443N/A <
secondary>Examples</
secondary>
6443N/A <
para>Access control instructions are defined in the data, as values for
6443N/A <
literal>aci</
literal> attributes. They can be imported in LDIF. They can
6443N/A be modified over LDAP. Yet in order to make changes to ACIs users first
6443N/A need the <
literal>modify-acl</
literal> privilege described previously.
6443N/A By default, only the root DN user has the <
literal>modify-acl</
literal>
6443N/A <
para>Global ACIs on <
literal>cn=Access Control Handler,cn=config</
literal>
6443N/A can be set using the <
command>dsconfig</
command> command. Global ACIs have
6443N/A attribute type <
literal>ds-cfg-global-aci</
literal>. Modify global ACIs from
6443N/A the Access Control Handler menu in <
command>dsconfig</
command>.</
para>
6443N/A <
primary>Replication</
primary>
6443N/A <
secondary>Data access</
secondary>
6443N/A <
para>Default global ACIs set up the following access rules.</
para>
6443N/A <
para>Users can employ LDAP controls and perform extended operations.</
para>
6443N/A <
para>Anonymous read access is allowed for most user data attributes.</
para>
6443N/A <
para>Users can read password values on their own entries after binding.
6443N/A (Also by default, password values are hashed.)</
para>
6443N/A <
para>Anonymous read access is allowed for schema-related operational
6443N/A <
para>Anonymous read access is allowed for root DSE attributes describing
6443N/A what the server supports.</
para>
6443N/A <
para>Anonymous read access is allowed for operational attributes related
6443N/A to entry updates and entry identification.</
para>
6443N/A <
para>Access to replication data is denied.</
para>
6443N/A <
para>Users with write access to add ACIs and with the
6443N/A <
literal>modify-acl</
literal> privilege can use the
6443N/A <
command>ldapmodify</
command> command to change ACIs located in user
6443N/A <
para>This section therefore focuses on ACI examples, rather than
6443N/A demonstrating how to update the directory for each example. To update ACIs,
6443N/A either change them using the <
command>ldapmodify</
command> command, or
6443N/A using OpenDJ Control Panel.</
para>
6443N/A <
para>If you use OpenDJ Control Panel, find the entry to modify in the Manage
6443N/A Entries window. Then try View > LDIF View to edit the entry. Control Panel
6443N/A checks your syntax and lets you know if you made an error before it saves any
6443N/A <
para>For hints on updating directory entries with
6443N/A <
command>ldapmodify</
command>, see the section on <
link 6443N/A xlink:
href="admin-guide#modify-ldap"><
citetitle>Modifying Entry
6443N/A Attributes</
citetitle></
link>, keeping in mind that the name of the ACI
6443N/A attribute is <
literal>aci</
literal> as shown in the examples that
6443N/A <
example xml:
id="access-control-anonymous-reads">
6443N/A <
title>ACI: Anonymous Reads & Searches</
title>
6443N/A <
para>This works when the only attributes you do not want world-readable
6443N/A are password attributes.</
para>
6443N/A <
programlisting language="ldif">aci: (target ="ldap:///dc=example,dc=com")(targetattr !=
6443N/A "authPassword || userPassword")(version 3.0;acl "Anonymous read-search access";
6443N/A allow (read, search, compare)(userdn = "ldap:///anyone");)
6443N/A <
example xml:
id="access-control-disable-anonymous"><?
dbfo keep-
together="auto"?>
6443N/A <
title>ACI: Disable Anonymous Access</
title>
6443N/A <
primary>Access control</
primary>
6443N/A <
secondary>Disabling anonymous access</
secondary>
6443N/A <
para>By default OpenDJ denies access unless an access control explicitly
6443N/A allows access.<
footnote><
para>This does not apply to the directory root
6443N/A user, such as <
literal>cn=Directory Manager</
literal>, who bypasses
6443N/A ACIs.</
para></
footnote> However, OpenDJ also allows anonymous access by
6443N/A default to use some controls, to perform certain extended operations, to
6443N/A view root DSE operational attributes, to view directory schema definitions,
7049N/A to view some other operational attributes, and to perform compare and search
6443N/A <
para>These default capabilities are defined on the
6443N/A <
literal>global-aci</
literal> property of the access control handler, which
6443N/A <
command>dsconfig get-access-control-handler-prop</
command> command.</
para>
6443N/A get-access-control-handler-prop
6443N/A --bindDN "cn=Directory Manager"
6443N/A --property global-aci</
screen>
7053N/A You can disable anonymous access either
7053N/A by editing relevant <
literal>global-aci</
literal> properties,
7053N/A or by using the global server configuration property,
7053N/A <
literal>reject-unauthenticated-requests</
literal>.
7053N/A Editing relevant <
literal>global-aci</
literal> properties
7053N/A lets you take a fine-grained approach to limit anonymous access.
7053N/A Setting <
literal>reject-unauthenticated-requests:true</
literal>
7053N/A causes OpenDJ directory server to reject all requests
7053N/A from clients who are not authenticated
7053N/A except bind requests and StartTLS requests.
7053N/A To take a fine-grained approach,
7053N/A use the <
command>dsconfig</
command> command
7053N/A to edit <
literal>global-aci</
literal> properties.
7053N/A One of the most expedient ways to do this is to use the command interactively
7053N/A on one OpenDJ directory server, capturing the output to a script with the
7053N/A <
option>--commandFilePath <
replaceable>script</
replaceable></
option> option,
7053N/A and then editing the script for use on other servers.
7053N/A With this approach, you can
7053N/A allow anonymous read access to the root DSE and to directory schemas
7053N/A so that clients do not have to authenticate to discover server capabilities,
7053N/A and also allow anonymous users access to some controls and extended operations.
6443N/A --bindDN "cn=Directory Manager"
7053N/A# The dsconfig command runs interactively.
7053N/A# Edit Access Control Handler, global-aci attributes replacing
7053N/A# userdn="ldap:///anyone" (anonymous) with userdn="ldap:///all" (authenticated)
7053N/A# in "Anonymous read access" and "User-Visible Operational Attributes" ACIs.
7053N/A# To make this change, you first remove the existing values,
7053N/A# then add the edited values, and finally apply the changes.
7053N/A Make sure that you also set appropriate ACIs on any data that you import.
7053N/A At this point, clients must authenticate to view search results for example.
7053N/A <
screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)"
7053N/A$ ldapsearch --bindDN uid=bjensen,ou=people,dc=example,dc=com
7053N/A --bindPassword hifalutin --port 1389 --baseDN dc=example,dc=com
7053N/Adn: uid=bjensen,ou=People,dc=example,dc=com
7053N/A You can download an example of the captured command,
7053N/A To reject anonymous access except bind and StartTLS requests,
7053N/A set <
literal>reject-unauthenticated-requests:true</
literal>.
7053N/A set-global-configuration-prop
7053N/A --bindDN "cn=Directory Manager"
7053N/A --set reject-unauthenticated-requests:true</
screen>
7053N/A Once you set the property, anonymous clients trying to search for example
7053N/A get an <
literal>Unwilling to Perform</
literal> response from OpenDJ.
7053N/A <
screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)"
7053N/AResult Code: 53 (Unwilling to Perform)
7053N/AAdditional Information: Rejecting the requested operation
7053N/A because the connection has not been authenticated</
screen>
7053N/A In both cases, notice that the changes apply to
7053N/A a single OpenDJ directory server configuration,
7053N/A and so are not replicated to other servers.
7053N/A You must instead apply the changes separately to each server.
6443N/A <
example xml:
id="access-control-full-access">
6443N/A <
title>ACI: Full Access for Administrators</
title>
6443N/A <
para>Directory Administrators need privileges as well for full access to
6443N/A administrative operations.</
para>
6443N/A <
programlisting language="ldif">aci: (target="ldap:///dc=example,dc=com") (targetattr =
6443N/A "* || +")(version 3.0;acl "Admins can run amok"; allow(
6443N/A all, proxy, import, export) groupdn =
6443N/A "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
6443N/A <
para>Notice both <
literal>targetattr = "* || +"</
literal>, which permits
6443N/A access to both all user attributes and all operational attributes, and
6443N/A <
literal>allow(all, proxy, import, export)</
literal>, which permits not
6443N/A only all user operations, but also proxy authorization as well as data
6443N/A import and export operations.</
para>
6443N/A <
example xml:
id="access-control-selfwrite-password">
6443N/A <
title>ACI: Change Own Password</
title>
6443N/A <
para>By default this capability is set in a global ACI.</
para>
6443N/A <
programlisting language="ldif">aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr =
6443N/A "authPassword || userPassword")(version 3.0;acl "Allow users to change pass
6443N/A words"; allow (write)(userdn = "ldap:///self");)</
programlisting>
6443N/A <
example xml:
id="access-control-selfwrite-group">
6443N/A <
title>ACI: Manage Own Group Membership</
title>
6443N/A <
para>For some static groups such as carpoolers and social club members,
6443N/A you might choose to let users manage their own memberships.</
para>
6443N/A <
programlisting language="ldif">aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(
6443N/A targetattr = "member")(version 3.0;acl "Self registration"; allow(selfwrite)(
6443N/A userdn = "ldap:///uid=*,ou=People,dc=example,dc=com");)</
programlisting>
6443N/A <
example xml:
id="access-control-self-service-group">
6443N/A <
title>ACI: Manage Self Service Groups</
title>
6443N/A <
para>Let users create and delete self-managed groups.</
para>
6443N/A <
programlisting language="ldif">aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(
6443N/A targattrfilters="add=objectClass:(objectClass=groupOfNames)")(version 3.0;
6443N/A acl "All can create self service groups"; allow (add)(userdn= "
6443N/A ldap:///uid=*,ou=People,dc=example,dc=com");)
6443N/Aaci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(version 3
6443N/A .0; acl "Owner can delete self service groups"; allow (delete)(userattr= "
6443N/A owner#USERDN");)</
programlisting>
6443N/A <
example xml:
id="access-control-loopback-only">
6443N/A <
title>ACI: Permit Clear Text Access Over Loopback Only</
title>
6443N/A <
para>This ACI uses IP address and Security Strength Factor subjects.</
para>
6443N/A <
programlisting language="ldif">aci: (target = "ldap:///dc=example,dc=com")(targetattr =
6443N/A "*")(version 3.0;acl "Use loopback only for LDAP in the clear"; deny (all)(
6443N/A ip != "127.0.0.1" and ssf <= "1");)</
programlisting>
6443N/A <
para>The <
literal>ssf</
literal> is one for example when using SSL but you
6443N/A have not configured a cipher, so the packets are checksummed for integrity
6443N/A checking by all content is nevertheless sent in clear text.</
para>
6443N/A <
section xml:
id="get-effective-rights">
6443N/A <
title>Viewing Effective Rights</
title>
6443N/A <
primary>Access control</
primary>
6443N/A <
secondary>Debugging</
secondary>
6443N/A <
primary>Access control</
primary>
6443N/A <
secondary>Effective rights</
secondary>
6443N/A <
para>Once you set up a number of ACIs, you might find it difficult to
6443N/A understand by inspection what rights a user actually has to a given entry.
6443N/A The Get Effective Rights control can help.</
para>
6443N/A <
para>The control OID, <
literal>1.3.6.1.4.1.42.2.27.9.5.2</
literal>, is
6443N/A not allowed by the default global ACIs.</
para>
6443N/A <
para>In this example, Babs Jensen is the owner of a small group of people
6443N/A who are willing to carpool.</
para>
6443N/A --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
6443N/A --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com"
6443N/Adn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
6443N/Amember: uid=bjensen,ou=People,dc=example,dc=com
6443N/Adescription: People who are willing to carpool
6443N/Aowner: uid=bjensen,ou=People,dc=example,dc=com
6443N/A <
para>Performing the same search with the get effective rights control, and
6443N/A asking for the <
literal>aclRights</
literal> attribute, shows what rights
6443N/A Babs has on the entry.</
para>
6443N/A --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
6443N/A --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com"
6443N/Adn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
6443N/AaclRights;entryLevel: add:0,delete:1,read:1,write:0,proxy:0
6443N/A <
para>Requesting the <
literal>aclRightsInfo</
literal> attribute results in
6443N/A information about the ACIs applied to arrive at the results.</
para>
6443N/A --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
6443N/A --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com"
6443N/Adn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
6443N/AaclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on e
6443N/A ntry/
attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, objectClas
6443N/A s) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: evaluat
6443N/A ed allow , deciding_aci: Anonymous read-search access)
6443N/AaclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write
6443N/A ) on
entry/
attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
6443N/A ) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis
6443N/AaclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on
6443N/A entry/
attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL) to
6443N/A (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis matc
6443N/AaclRightsInfo;logs;entryLevel;delete: acl_summary(main): access allowed(delete)
6443N/A on
entry/
attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL)
6443N/A to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: evaluated
6443N/A allow , deciding_aci: Owner can delete self service groups)
6443N/AaclRights;entryLevel: add:0,delete:1,read:1,write:0,proxy:0
6443N/AaclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy
6443N/A ) on
entry/
attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
6443N/A ) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis
6443N/A <
para>You can also request the effective rights for another user by using the
6443N/A <
option>--getEffectiveRightsAuthzid</
option> (short form: <
option>-g</
option>)
6443N/A option, which takes the authorization identity of the other user as an
6443N/A argument. The following example shows Directory Manager checking anonymous
6443N/A user rights to the same entry. Notice that the authorization identity for an
6443N/A anonymous user is expressed as <
literal>"dn:"</
literal>.</
para>
6443N/A --getEffectiveRightsAuthzid "dn:"
6443N/A --bindDN "cn=Directory Manager"
6443N/A --baseDN "ou=Self Service,ou=groups,dc=example,dc=com"
6443N/Adn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
6443N/AaclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on e
6443N/A ntry/
attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, objectClas
6443N/A s) to (anonymous) (not proxied) ( reason: evaluated allow , deciding_aci: Anony
6443N/AaclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write
6443N/A ) on
entry/
attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
6443N/A ) to (anonymous) (not proxied) ( reason: no acis matched the subject )
6443N/AaclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on
6443N/A entry/
attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL) to
6443N/A (anonymous) (not proxied) ( reason: no acis matched the subject )
6443N/AaclRightsInfo;logs;entryLevel;delete: acl_summary(main): access not allowed(dele
6443N/A te) on
entry/
attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NU
6443N/A LL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
6443N/AaclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy
6443N/A ) on
entry/
attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
6443N/A ) to (anonymous) (not proxied) ( reason: no acis matched the subject )</
screen>
6443N/A <
para>When you need to check access to an attribute that might not yet exist
6443N/A on the entry, you can further use the
6443N/A <
option>--getEffectiveRightsAttribute</
option> (short form:
6443N/A <
option>-e</
option>) option, which takes an attribute list as an argument.
6443N/A The following example shows Directory Manager checking anonymous user
6443N/A access to the description attribute for the Self Service groups organizational
6443N/A unit entry. The description attribute is not present on the entry, yet.</
para>
6443N/A --baseDN "ou=Self Service,ou=groups,dc=example,dc=com"
6443N/A "ou=Self Service" description
6443N/Adn: ou=Self Service,ou=Groups,dc=example,dc=com
6443N/A --getEffectiveRightsAuthzid "dn:"
6443N/A --getEffectiveRightsAttribute description
6443N/A --bindDN "cn=Directory Manager"
6443N/A --baseDN "ou=Self Service,ou=groups,dc=example,dc=com"
6443N/A "ou=Self Service" aclRights
6443N/Adn: ou=Self Service,ou=Groups,dc=example,dc=com
6443N/AaclRights;attributeLevel;description: search:1,read:1,compare:1,write:0,selfwrit
6443N/A e_add:0,selfwrite_delete:0,proxy:0
6443N/AaclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0</
screen>