[ Team LiB ] Previous Section Next Section

E.3 How Much?

OpenLDAP supports two modes of defining access. The general form of the access specifier clause is:

[self]{level|priv}

The special modifier self implies special access to self-owned attributes such as the member attribute in a group.

While the access level model implements incremental access (higher access includes lower access levels), the privilege model requires that an administrator explicitly define access for each permission using the =, +, and - operators to reset, add, and remove permissions, respectively (see Table E-3).

Table E-3. Summary of access and privilege levels from most (top) to least (bottom)

Access level

Privilege

Permission granted

write

w

Access to update attribute values (e.g., change this telephoneNumber to 555-2345).

read

r

Access to read search results (e.g., Show me all the entries with a telephoneNumber of 555*).

search

s

Access to apply search filters (e.g., Are there any entries with a telephoneNumber of 555*?).

compare

c

Access to compare attributes (e.g., Is your telephoneNumber 555-1234?).

auth

x

Access to bind (authenticate). This requires that the client send a username in the form of a DN and some type of credentials to prove his or her identity.

none

 

No access.

Control flow from one access rule to the next can be managed by the keywords stop, continue, and break (see Table E-4).

Table E-4. Control flow keywords in access rules

Keyword

Meaning

break

Allows other access clauses to be processed

continue

Allows additional "who" clauses within the current access rule to be processed

stop

Stops access check upon a match (default)

    [ Team LiB ] Previous Section Next Section