Access Control

Access to information in the directory is controlled by a set of rules that determine what operations a user can perform on a particular entry or attribute. The permission level granted to the user depends on the authentication information provided by the user. It also depends on the specific rules defined by the directory administrator for a particular entry or attribute.

Permission Levels

There are five permission levels for directory information. From the least privileged to the most privileged, they are:

• none

  You are not permitted to access the entry at all, and will not even see information indicating that the entry exists.

• compare

  You can compare the value of a given attribute with a value you supply, but you cannot read the attribute value. This is used when checking passwords.

• search

  You can read the distinguished name of an entry, and you can search for entries based on the existence of an attribute or attribute value. You will not necessarily be able to read the attribute value.

• read

  You can read the value of any accessible attribute within an entry.

• write

  You can write information into an entry or attribute, that is, you can modify or delete an attribute value, attribute, or whole entry.

When you are granted permission for a given level of operation, you are implicitly granted all lower levels of permission. For example, read permission implies that search and compare permissions are granted too.

Defining Rules for Entries and Attributes

Access control rules define which users are granted which permission for a given set of entries or attributes. For example, you can give a user read permission for all attributes except password in all entries, and compare permission for password attributes.

You can define the set of entries or attributes to which an access control rule applies by using:

• The symbol * to represent all entries

• A regular expression in a distinguished name (see "Using the DN Editor")

• An LDAP filter (see "Using the Filter Editor")

• The presence of a particular attribute

For example, you could define the following access control rules:

• Users have write access to their own password attribute, but only compare access to the passwords of other users.

• A user whose entry contains the attribute value locality=San Francisco has read access to all other entries that contain the attribute value locality=San Francisco, but cannot read the password attribute value.

The access control rules are applied in sequence, so the order in which they are listed is important. You must state the most specific rules first, with more general rules afterward. "Configuring Access Control" explains how to define an access control rule using the configuration tool, and how to specify the order of rules.

Binding to the Directory

Depending on the access control rules defined for the directory, for certain operations, you need to bind to the directory. Binding means authenticating yourself by providing your DN and password. This process determines the permission level you are granted for the duration of the connection.

For example, with the default set of access control rules, you have write permission to your password in your directory entry. When you bind with the DN and password of an entry, you are identified by the keyword self for that entry. With an anonymous bind, you have search, and read permissions for all entries and attributes except the password attribute, for which you have compare permission. These are the permissions granted to users identified by the keyword everyone or *.

Default Access Control Rules

The default access controls defined at installation are as follows:

• All users have compare access to the values of the attribute userPassword. To change the value of the userPassword attribute, you must bind with the DN of the entry containing the attribute, that is, the password can only be changed by the owner of the entry.

• All users have compare access to the values of the attributes chapPasswd, radiusLoginPasswd, radiusPppPasswd, radiusSlipPasswd. Write access to these attributes is granted to the users who bind with the DN of the entry containing the attributes.

• Anyone binding with the DN of an entry has write access to the userPassword, gecos, and loginShell attributes of that entry. Everyone else has read access only.

• Everyone has read access to the following attributes: cn, dataSource, homeDirectory, messageStore, messageStoreSizeQuota, mail, mailServer, objectStatus, preferredRfc822Recipient, rfc822Mailbox, uid.

• Any user can add their DN to, or delete their DN from, the member attribute of any entry containing the attribute joinable with value TRUE.

• The administrator always has complete access to all attributes in all entries. You cannot change the access granted to the administrator because it is not defined in the configuration file. This ensures that there is always at least one user who has access to every attribute in every entry in the directory.

These rules are applied in order, starting with the most specific followed by the more general rules.

Example 1-1 shows how the default access controls are defined in the directory server configuration file /etc/opt/SUNWconn/ldap/current/dsserv.acl.conf.

Example 1-1 Default Access Controls

access to attrs=userPassword	by self write
	by * compare

# Radius ACLs
access to attrs=chapPassword, radiusLoginPasswd, radiusPppPasswD,
radiusSlipPasswd
	by self write
	by * compare

access to attrs=sharedKey
	by self write
	by * compare

# dsyppasswdd ACLs
access to attrs=userPassword
	by self write
	by * compare

access to attrs=gecos,loginShell
	by self write

# SIMS ACLs
access to attrs=cn, dataSource, homeDirectory, mail, mailHost,
mailQuota, objectStatus, preferredRfc822Recipient, rfc822Mailbox,
uid
	by self read
	by * read

# Default ACLs
access to filter="joinable=TRUE" attrs=member,entry
	by dnattr=member selfwrite

access to * by self read

For information on configuring access control rules for Sun Directory Services, refer to "Configuring Access Control".