Configuring Access Control
Access to information in the directory is controlled by a set of rules that determine what permissions a user requires in order to access an entry or an attribute. The levels of permission for directory information are:
|
|
None-You are not permitted to access the entry at all, and cannot see information indicating that the entry exists. |
|
|
Compare-You can compare the value of a given attribute with a value you supply, but you cannot read the attribute value. This is used when checking passwords. |
|
|
Search-You can read the distinguished name of an entry, and you can search for entries based on the existence of an attribute or attribute value. You cannot necessarily read the attribute value. |
|
|
Read-You can read the value of an attribute within an entry. |
|
|
Write-You can write information into an entry or attribute; that is, you can modify or delete an attribute value, attribute, or whole entry. |
Note - If you have permission to read the attributes of an entry, you also have permission to search and compare.
Access control rules define which users are granted which permissions for a given set of entries or attributes. For example, you can give a privileged user read permission for all attributes except password in all entries, and compare permission for password attributes.
Access control rules for any set of entries can be defined by:
|
|
All entries |
|
|
Presence of a particular attribute |
You can define access control rules that apply to the person described by an entry (using the keyword self), so that, for example, only you can change your own password. You can also define access control rules that apply to any user (using the keyword everyone or *).
The access control rules are applied in sequence, so the order in which they are listed is important. You must state the most specific rules first, with more general rules afterward. "Configuring Access Control" explains how to define an access control rule using the configuration tool, and how to specify the order of rules.
For example, you could define the following access control rules:
|
|
Users have write access to their own password attribute, but only compare access to the passwords of other users. |
|
|
A user whose entry contains the attribute value locality=San Francisco has read access to all other entries that contain the attribute value locality=San Francisco, but cannot read the password attribute value. |
The default access controls defined at installation are as follows:
|
|
All users have compare access to the values of the attribute userPassword. To change the value of the userPassword attribute, you must bind with the DN of the entry containing the attribute, that is, the password can only be changed by the owner of the entry. |
|
|
Everyone has read access to the following attributes: cn, dataSource, homeDirectory, messageStore, messageStoreSizeQuota, mail, mailServer, objectStatus, preferredRfc822Recipient, rfc822Mailbox, and uid. |
|
|
Any user whose DN contains the attribute member has write access to the member and entry attributes of any entry containing the attribute joinable with value TRUE. These attributes are also writable by any user who binds with the DN of the entry. |
|
|
Anyone binding with the DN of an entry has write access to that entry. Everyone else has read access only. |
|
|
The system administrator always has complete access to all attributes in all entries. You cannot change the access granted to the administrator, which ensures that there is always at least one user who has access to every entry in the directory. |
These rules are applied in order, starting with the most specific followed by the more general rules. The following table shows how the default access controls are defined in the directory server configuration file (for information about configuration files, see Chapter 2, "Commands Reference," in the sections "slapd" and "slurpd").
TABLE 4-2 Permission Attributes for User Access
|
access to attrs=userPassword
|
|---|
|
|
by self write
|
|
|
by * compare
|
|
|
|
|
access to attrs=cn, dataSource, homeDirectory, messageStore, messageStoreSizeQuota, mail, mailServer, objectStatus, preferredRfc822Recipient, rfc822Mailbox, uid
|
|
|
by self read
|
|
|
by * read
|
|
access to filter="joinable=TRUE" attrs= member, entry
|
|
|
by dnattr=member self write
|
|
access to *
|
|
|
by self write
|
|
|
by * read
|
TABLE 4-2 lists permission attributes for user access.
All directory interactions begin with a bind. The information used to establish the bind is also used to determine the permission level at which you are granted access to the directory. All further interaction with the directory for the duration of the bind is regulated by this permission level.
Copyright © 1999 Sun Microsystems, Inc. All Rights Reserved.