upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-25 00:59:45 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove derived file

Browse source
This commit is contained in:
Kurt Zeilenga 2001-11-03 19:07:05 +00:00
parent cf13ded4fe
commit 57a5439d6c
1 changed files with 0 additions and 312 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

312
doc/man/man5/slapd.access.5.tmp
View file

@ -1,312 +0,0 @@
.TH SLAPD.ACCESS 5 "28 Oct 2001" "OpenLDAP 2.X"
.\" Copyright 1998-2001 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
.SH SYNOPSIS
/usr/local/etc/openldap/slapd.conf
.SH DESCRIPTION
The file
.B /usr/local/etc/openldap/slapd.conf (5)
contains configuration information for the
.BR slapd (8)
daemon. This configuration file is also used by the
.BR slurpd (8)
replication daemon and by the SLAPD tools
.BR slapadd (8),
.BR slapcat (8),
and
.BR slapindex (8).
.LP
The
.B slapd.conf
file consists of a series of global configuration options that apply to
.B slapd
as a whole (including all backends), followed by zero or more database
backend definitions that contain information specific to a backend
instance.
.LP
The general format of
.B slapd.conf
is as follows:
.LP
.nf
# comment - these options apply to every database
<global configuration options>
# first database definition & configuration options
database <backend 1 type>
<configuration options specific to backend 1>
# subsequent database definitions & configuration options
...
.fi
.LP
Both the global configuration and each backend-specific section can contain
access information.
Backend-specific access control directives are used for those entries
that belong to the backend, according to their naming context.
In case no access control directives are defined for a backend,
the appropriate directives from the global configuration section
are used.
.LP
Arguments that should be replaced by actual text are shown in brackets <>.
The structure of the access control directives is
.TP
.B access to <what> [ by <who> <access> [ <control> ] ]+
Grant access (specified by
.BR <access> )
to a set of entries and/or attributes (specified by
.BR <what> )
by one or more requestors (specified by
.BR <who> ).
.LP
The field
.BR <what>
specifies the entity the access control directive applies to.
It can have the forms
.LP
.nf
*
[dn[.<dnstyle>]=<pattern>]
[filter=<ldapfilter>]
[attrs=<attrlist>]
.fi
.LP
The wildcard
.B *
stands for all the entries.
.LP
The statement
.B dn=<pattern>
selects the entries based on their naming context.
The optional style qualificator
.B <dnstyle>
can be
.BR regex ,
which implies a regex (7)
.B pattern
will be used (the default),
.B base
or
.B exact
(an alias of
.BR base )
for an exact match of the entry,
.B one
to indicate all the entries immediately below the
.BR pattern ,
.B sub
to indicate all the subentries of an entry including the entry itself,
.B children
to indicate all the subentries of an entry not including the entry itself.
Note that
.B dn=".*"
is equivalent to
.BR * .
The regex form of the pattern does not support UTF-8 (7) yet.
.LP
The statement
.B filter=<ldapfilter>
selects the entries based on a valid LDAP filter as described in RFC 2254.
.LP
The statement
.B attrs=<attrlist>
selects the attributes the access control rule applies to.
It is a comma-separated list of attribute types, plus the special names
.BR entry ,
indicating access to the entry itself, and
.BR children ,
indicating access to the entry's children.
.LP
The last three statements are additive; they can be used in sequence
to select entities the access rule applies to based on naming context,
value and attribute type simultaneously.
.LP
The field
.B <who>
indicates whom the access rules apply to.
Multiple
.B <who>
statements can appear in an access control statement, indicating the
different access privileges to the same resource that apply to different
accessee.
It can have the forms
.LP
.nf
*
anonymous
users
self
dn[.<dnstyle>]=<pattern>
dnattr=<attrname>
group[/<objectclass>[/<attrname>]][(<groupflags>)]
[.<style>]=<pattern>
peername[.<style>]=<pattern>
sockname[.<style>]=<pattern>
domain[.<style>]=<pattern>
sockurl[.<style>]=<pattern>
set[.<style>]=<pattern>
aci=<attrname>
ssf=<n>
transport_ssf=<n>
tls_ssf=<n>
sasl_ssf=<n>
.fi
.LP
The wildcard
.B *
refers to everybody.
.LP
The keyword
.B anonymous
means access is granted to unauthenticated users; it is moslty used
to limit access to authentication resources (e.g. the
.B userPassword
attribute) to unauthenticated users for authentication purposes.
.LP
The keyword
.B users
means access is granted to authenticated users.
.LP
The keyword
.B self
means access to an entry is allowed to the entry itself (e.g. the entry
being accessed and the requesting entry must be the same).
.LP
The statement
.B dn=<pattern>
means that access is granted to the matching dn.
The optional style qualificator
.B dnstyle
allows the same choices of the dn form of the
.B <what>
field.
In detail, the
.B regex
form of
.B pattern
can exploit substring substitution of submatches in the
.B <what>
dn by using the form
.BR $<digit> ,
with
.B digit
ranging from 1 to 9.
.LP
The statement
.B dnattr=<attrname>
means that access is granted to requests whose dn is listed in the
entry being accessed under the
.B attrname
attribute.
.LP
The statement
.B group=<pattern>
means that access is granted to requests whose dn is listed
in the group entry whose dn is given by
.BR pattern .
The optional parameters
.B objectclass
and
.B attrname
define the objectClass and the member attributeType of the group entry.
The optional
.B groupflags
field defines extra parameters; at present, only
.B R
is defined, which allows recursion in searching for group membership.
If the
.B R
flag is set, in case the requesting dn is not listed in the members
of the
.B pattern
group, the members of that group are recursively searched.
The optional style qualificator
.B style
can be
.BR regex ,
which means that
.B pattern
will be expanded accorging to regex (7), and
.B base
or
.B exact
(an alias of
.BR base ),
which means that an exact match will be used.
.LP
The statements
.BR peername=<pattern> ,
.BR sockname=<pattern> ,
.BR domain=<pattern> ,
and
.BR sockurl=<pattern>
mean that the contacting host IP for
.BR peername ,
the named pipe file name for
.BR sockname ,
the contacting host name for
.BR domain ,
and the contacting URL for
.BR sockurl
are compared against
.B pattern
to determine access.
The same
.B style
rules for pattern match described for the
.B group
case apply.
.LP
The statement
.B set=<pattern>
is undocumented.
.LP
The statement
.B aci=<attrname>
means that the access control is determined by the values in the
.B attrname
of the entry itself.
ACIs are experimental; they must be enabled at compile time.
.LP
The statements
.BR ssf=<n> ,
.BR transport_ssf=<n> ,
.BR tls_ssf=<n> ,
and
.BR sasl_ssf=<n>
set the required Security Strenght Factor (ssf) required to grant access.
.LP
The field
.B <access> ::= [self]{<level>|<priv>}
determines the access level or the specific type of access the
.B who
field will have.
.LP
The optional field
.B <control>
controls the flow of access rule application.
It can have the forms
.LP
.nf
stop
continue
break
.fi
.LP
where
.BR stop ,
the default, means access checking stops in case of match (is it correct?).
.SH FILES
/usr/local/etc/openldap/slapd.conf
.SH SEE ALSO
.BR slapd (8),
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
.B OpenLDAP
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
.B OpenLDAP
is derived from University of Michigan LDAP 3.3 Release.