E.3 How Much?
OpenLDAP supports two modes of defining access. The general form of
the access specifier clause is:
[self]{level|priv}
The special modifier self implies special access
to self-owned attributes such as the member attribute in a group.
While the access level model implements incremental access (higher
access includes lower access levels), the privilege model requires
that an administrator explicitly define access for each permission
using the =, +, and
- operators to reset, add, and remove permissions,
respectively (see Table E-3).
Table E-3. Summary of access and privilege levels from most (top) to least (bottom)
|
write
|
w
|
Access to update attribute values (e.g., change this
telephoneNumber to 555-2345).
|
|
read
|
r
|
Access to read search results (e.g., Show me all the entries with a
telephoneNumber of 555*).
|
|
search
|
s
|
Access to apply search filters (e.g., Are there any entries with a
telephoneNumber of 555*?).
|
|
compare
|
c
|
Access to compare attributes (e.g., Is your
telephoneNumber 555-1234?).
|
|
auth
|
x
|
Access to bind (authenticate). This requires that the client send a
username in the form of a DN and some type of credentials to prove
his or her identity.
|
|
none
|
|
No access.
|
Control flow from one access rule to the next can be managed by the
keywords stop, continue, and
break (see Table E-4).
Table E-4. Control flow keywords in access rules
|
break
|
Allows other access clauses to be processed
|
|
continue
|
Allows additional "who" clauses
within the current access rule to be processed
|
|
stop
|
Stops access check upon a match (default)
|
|
