Managing Access Control by Using Command-Line Tools

As described in "Overview of Access Control Policy Administration", directory access control policy information is represented as user-modifiable operational attributes. Hence, you can manage directory access control by using ldapmodify to set and alter values of these attributes. Any tool, including ldapmodify and ldapmodifymt, can be used for this purpose.

To directly edit the ACI, you should understand the format and semantics of the directory representation of the ACI as described in Appendix E, "The Access Control Directive Format".

See Also: "LDAP Data Interchange Format (LDIF) Syntax" for information about how to format input by using LDAP Data Interchange Format (LDIF), the required input format for line mode commands "ldapmodify Syntax" for information about how to run ldapmodify Appendix E, "The Access Control Directive Format" for information about the format or syntax of ACI

Example: Restricting the Kind of Entry a User Can Add

You can specify ACIs to restrict the kind of entries a user can add. For example, you can specify an ACI in the DSE root entry that allows users to add only entries with objectclass=country. To do this, you use the added_object_constraint filter. The directory server then verifies that any new entry complies with the constraints in this filter.

The following example specifies that:

• The subject cn=admin,c=us can browse, add, and delete under organization entries.

• The subject cn=admin,c=us can add organizationalUnit objects under organization entries

• All others can browse under organization entries

  access to entry filter=(objectclass=organization)  
  by group="cn=admin,c=us"
  
            constraintonaddedobject=(objectclass=organisationalunit)
  
            (browse,add,delete) 
  by * (browse)
  

Example: Setting Up an Inheritable ACP by Using ldapmodify

This example sets up subtree access permissions in an orclACI at the root DSE by using an LDIF file named my_ldif_file. Because this example refers to the orclACI attribute, this access directive governs all the entries in the DIT.

ldapmodify -v -h $1 -D "cn=Directory Manager, o=IMC, c=US" -w "controller" -f 
my_ldif_file

The LDIF file, my_ldif_file, contains the following:

dn:  
changetype: modify
replace: orclaci
orclaci: access to entry 

by dn="cn=directory manager, o=IMC, c=us" (browse, add, delete) 
by * (browse, noadd, nodelete)

orclaci: access to attr=(*) 

by dn="cn=directory manager, o=IMC, c=us" (search, read, write, compare) 
by self (search, read, write, compare) 
by * (search, read, nowrite, nocompare)

Example: Setting Up Entry-Level ACIs by Using ldapmodify

This example sets up entry-level access permissions in the orclEntryLevelACI attribute by using an LDIF file named my_ldif_file. Because this example refers to the orclentrylevelACI attribute, this access directive governs only the entry in which it resides.

ldapmodify -v -h myhost -D "cn=Directory Manager, o=IMC, c=US" -w "controller" 

-f my_ldif_file

The LDIF file, my_ldif_file, contains the following:

dn:  
changetype: modify
replace: orclentrylevelaci
orclentrylevelaci: access to entry 

by dn="cn=directory manager, o=IMC, c=us" (browse, add, delete) 
by * (browse, noadd, nodelete)

orclentrylevelaci: access to attr=(*)

by dn="cn=directory manager, o=IMC, c=us" (search, read, write, compare) 
by * (search, read, nowrite, nocompare)

Note: In this example, no DN value is specified. This means that this ACI pertains to the root DSE and its attributes only.

Example: Using Wild Cards

This example shows the use of wild cards (*) in the object and subject specifiers. For all entries within the acme.com domain, it grants to everyone browse permission on all entries, as well as read and search permissions on all attributes.

orclACI attribute in the ACP at dc=com

access to entry by * (browse)

access to attr=(*) by * (search, read)

Note that, in order to allow reading the attributes, browse permissions must be granted on the entries in order for read permissions to be granted to the attributes of those entries.

Example: Selecting Entries by DN

This example shows the use of a regular expression to select the entries by DN in two access directives. It grants to everyone read-only access to the address book attributes under dc=acme,dc=com access.

orclACI attribute of dc=acme, dc=com:

access to entry by * (browse) 
access to attr=(cn, telephone, email) by * (search, read) 

orclACI attribute of dc=us, dc=acme, dc=com:

access to entry by * (browse) 
access to attr=(*) by dn=".*,dc=us,dc=acme,dc=com" (search, read) 

Example: Using Attribute and Subject Selectors

This example shows the use of an attribute selector to grant access to a specific attribute, and various subject selectors. The example applies to entries in the dc=us,dc=acme,dc=com subtree. The policy enforced by this ACI can be described as follows:

• For all entries within the subtree, the administrator has add, delete, and browse permissions. Others within the dc=us subtree can browse, but those outside it have no access to the subtree.

• The salary attribute can be modified by one's manager and viewed by oneself. No one else has access to the salary attribute.

• The userPassword attribute can be viewed and modified by oneself and the administrator. Others can only compare this attribute.

• The homePhone attribute can be read and written by oneself and viewed by anyone else.

• For all other attributes, only the administrator can modify values. Everyone else can compare, search, read, but cannot update attribute values.

"orclACI" attribute of "dc=us, dc=acme, dc=com":

access to entry 
by dn="cn=admin, dc=us,dc=acme,dc=com" (browse, add, delete) 
by dn=".*, dc=us,dc=acme,dc=com" (browse) 
by * (none) 

access to attr=(salary) 
by dnattr=(manager) (read, write) 
by self (read) 
by * (none) 

access to attr=(userPassword) 
by self (search, read, write) 
by dn="cn=admin, dc=us,dc=acme,dc=com" (search, read, write) 
by * (compare) 

access to attr=(homePhone) 
by self (search, read, write) 
by * (read) 

access to attr != (salary, userPassword, homePhone) 
by dn="cn=admin, dc=us,dc=acme,dc=com" (compare, search, read, write) 
by * (compare, search, read) 

Example: Granting Read-Only Access

This example gives to everyone read-only access to address book attributes under dc=acme,dc=com. It also extends to everyone read access to all attributes within the dc=us,dc=acme,dc=com subtree only.

orclACI attribute of dc=acme, dc=com:

access to entry by * (browse)
access to attr=(cn, telephone, email) by * (search, read) 

orclACI attribute of dc=us, dc=acme, dc=com:

access to entry by * (browse) 
access to attr=(*) by dn=".*,dc=us,dc=acme,dc=com" (search, read)

Example: Granting Selfwrite Access to Group Entries

This example allows people within the US domain to add or remove only their own name (DN) to or from the member attribute of a particular group entry, for example, a mailing list.

orclEntryLevelACI attribute of the group entry in question:

access to attr=(member) 
by dn=".*, dc=us,dc=acme,dc=com" (selfwrite)