You are not permitted to access the entry at all, and will not even see information indicating that the entry exists.
Access to information in the directory is controlled by a set of rules that determine what permissions a user requires in order to access an entry or an attribute. The permission level granted to the user depends on the authentication information provided by the user. It also depends on the specific rules defined by the directory administrator for a particular entry or attribute.
There are five levels of permission for directory information:
|
|
none You are not permitted to access the entry at all, and will not even see information indicating that the entry exists. |
|
|
compare You can compare the value of a given attribute with a value you supply, but you cannot read the attribute value. This is used when checking passwords. |
|
|
search You can read the distinguished name of an entry, and you can search for entries based on the existence of an attribute or attribute value. You will not necessarily be able to read the attribute value. |
|
|
read You can read the value of any accessible attribute within an entry. |
|
|
write You can write information into an entry or attribute, that is, you can modify or delete an attribute value, attribute, or whole entry. |
Note - When you are granted permission for a given level of operation, you are implicitly granted all lower levels of permission. For example, read permission implies that search and compare permissions are granted too.
Access control rules define which users are granted which permission for a given set of entries or attributes. For example, you can give a privileged user read permission for all attributes except password in all entries, and compare permission for password attributes.
You can define an access control rule for any set of entries that can be defined by:
|
|
All entries |
|
|
A distinguished name based regular expression (see "Using the Distinguished Name Editor" on page 211) |
|
|
An LDAP filter (see "Specifying an LDAP Filter" on page 212) |
|
|
The presence of a particular attribute |
You can define access control rules that apply to the person described by an entry (using the keyword self), so that, for example, only you can change your own password. You can also define access control rules that apply to any user (using the keyword everyone or *).
The access control rules are applied in sequence, so the order in which they are listed is important. You must state the most specific rules first, with more general rules afterward."Configuring Access Control" on page 205 explains how to define an access control rule using the configuration tool, and how to specify the order of rules.
For example, you could define the following access control rules:
|
|
Users have write access to their own password attribute, but only compare access to the passwords of other users. |
|
|
A user whose entry contains the attribute value locality=San Francisco has read access to all other entries that contain the attribute value locality=San Francisco, but cannot read the password attribute value. |
The default access controls defined at installation are as follows:
|
|
All users have compare access to the values of the attribute userPassword. To change the value of the userPassword attribute, you must bind with the DN of the entry containing the attribute, that is, the password can only be changed by owner of the entry. |
|
|
Everyone has read access to the following attributes: cn, dataSource, homeDirectory, messageStore, messageStoreSizeQuota, mail, mailServer, objectStatus, preferredRfc822Recipient, rfc822Mailbox, uid. |
|
|
Any user can add their DN to, or delete their DN from, the member attribute of any entry containing the attribute joinable with value TRUE. |
|
|
Anyone binding with the DN of an entry has write access to that entry. Everyone else has read access only. |
|
|
The administrator always has complete access to all attributes in all entries. You cannot change the access granted to the administrator, which ensures that there is always at least one user who has access to every entry in the directory. |
These rules are applied in order, starting with the most specific followed by the more general rules.
CODE EXAMPLE 1-1 shows how the default access controls are defined in the directory server configuration file.
All directory interactions begin with a bind. The information used to establish the bind is also used to determine the permission level at which you are granted access to the directory. All further interaction with the directory for the duration of the bind is regulated by this permission level.