Permissions specify the type of access that is allowed or denied by the ACI. For information about bind rules, see the following sections:
An ACI permission statement has this syntax:
allow|deny (right1, right2 ...)
Rights define the operations you can perform on directory data. In an ACI statement, rights is a list of comma-separated keywords enclosed within parentheses.
Rights are granted independently of one another. This means, for example, that a user who is granted add rights but not delete rights can create an entry but cannot delete an entry. When you are planning the access control policy for your directory, ensure that you grant rights in a way that makes sense for users. For example, it might not make sense to grant write permission without granting read and search permissions.
The following rights can be allowed or denied in an ACI permission statement:
Permission to read directory data. This permission applies only to the search operation.
Permission to modify an entry by adding, modifying, or deleting attributes. This permission applies to the modify and modify DN operations.
Permission to create entries. This permission applies only to the add operation
Permission to delete entries. This permission applies only to the delete operation.
Permission to search for directory data. Users must have Search and Read rights in order to view the data returned as part of a search result. This permission applies only to the search operation.
Permission for users to compare data they supply with data stored in the directory. With compare rights, the directory returns a success or failure message in response to an inquiry, but the user cannot see the value of the entry or attribute. This permission applies only to the compare operation.
Permission for users to add or delete their own DN in an attribute of the target entry. The syntax of this attribute must be distinguished name. This right is used only for group management. The Selfwrite permission works with proxy authorization; it grants the right to add or delete the proxy DN from the group entry (not the DN of the bound user).
Permission for the specified DN to access the target with the rights of another entry. You can grant proxy access using the DN of any user in the directory except the Directory Manager DN. You cannot grant proxy rights to the Directory Manager.
Permission for an entry to be imported to the specified DN. This permission applies the modify DN operation.
Permission for an entry to be exported from the specified DN. This permission applies the modify DN operation.
Permission for the specified DN to have the following rights for the targeted entry: read, write, search, delete, compare, and selfwrite. The All access right does control permission for the following rights to the target entry: proxy, import, and export.
This section describes the rights required to perform a set of LDAP operations.
Grant add permission on the entry being added.
Grant write permission on the value of each attribute in the entry. This right is granted by default but could be restricted using the targettrfilters keyword.
Grant delete permission on the entry to be deleted.
Grant write permission on the value of each attribute in the entry. This right is granted by default but could be restricted using the targettrfilters keyword.
Grant write permission on the attribute type.
Grant write permission on the value of each attribute type. This right is granted by default but could be restricted using the targettrfilters keyword.
Grant write permission on the entry.
Grant write permission on the attribute type used in the new RDN.
Grant write permission on the attribute type used in the old RDN, if you want to grant the right to delete the old RDN.
Grant write permission on the value of attribute type used in the new RDN. This right is granted by default but could be restricted using the targettrfilters keyword.
Grant export permissions on the entry that you want to move.
Grant import permission on the new superior entry of the entry that you want to move.
Grant compare permission on the attribute type.
Grant search permission on each attribute type used in the search filter.
Grant read permission on at least one attribute type used in the entry to ensure that the entry is returned.
Grant read permission an each attribute type to be returned with the entry.
This example configures permissions to allow bjensen to search her own entry.
(target="ldap:///dc=example,dc=com") ldapsearch -h host -p port -D "uid=bjensen,dc=example,dc=com" \ -w password -b "dc=example,dc=com" \ "(objectclass=*)" mail
The following ACI determines whether bjensen can be granted access for searching her own entry:
aci: (targetattr = "mail")(version 3.0; acl "self access to mail"; allow (read, search) userdn = "ldap:///self";)
The search result list is empty because this ACI does not allow bjensen the right to search on the objectclass attribute. To perform the search operation described, you must modify the ACI as follows:
aci: (targetattr = "mail || objectclass")(version 3.0; acl "self access to mail"; allow (read, search) userdn = "ldap:///self";)