OpenLDAP supports two modes of defining access. The general form of the access specifier clause is:
[self]{level|priv}
The special modifier self implies special access to self-owned attributes such as the member attribute in a group.
While the access level model implements incremental access (higher access includes lower access levels), the privilege model requires that an administrator explicitly define access for each permission using the =, +, and - operators to reset, add, and remove permissions, respectively (see Table E-3).
Access level |
Privilege |
Permission granted |
---|---|---|
write |
w |
Access to update attribute values (e.g., change this telephoneNumber to 555-2345). |
read |
r |
Access to read search results (e.g., Show me all the entries with a telephoneNumber of 555*). |
search |
s |
Access to apply search filters (e.g., Are there any entries with a telephoneNumber of 555*?). |
compare |
c |
Access to compare attributes (e.g., Is your telephoneNumber 555-1234?). |
auth |
x |
Access to bind (authenticate). This requires that the client send a username in the form of a DN and some type of credentials to prove his or her identity. |
none |
No access. |
Control flow from one access rule to the next can be managed by the keywords stop, continue, and break (see Table E-4).
Keyword |
Meaning |
---|---|
break |
Allows other access clauses to be processed |
continue |
Allows additional "who" clauses within the current access rule to be processed |
stop |
Stops access check upon a match (default) |