1. Home
  2. Server Administration
  3. ldap system administration

E.4 Examples

Grant authenticated users the capability to read the cn attribute with the following:

access to attrs=cn
     by users read

Grant a single, specified user the capability to write to all posixAccount entries below the ou=people container with the following. This does not include permission to add new entries directly below ou=people.

access to dn.children="ou=people,dc=plainjoe,dc=org"
    filter=(objectclass=posixAccount)
    by dn="uid=admin,ou=people,dc=plainjoe,dc=org" write

Grant everyone the capability to attempt to authenticate against an entry's password with the following. The owner of the entry should also be given read and write access.

access to attrs=userPassword
   by * +x continue
   by self +rw

Restrict access to the administration organizational unit to members of the admin groupOfNames object with the following:

access to dn.subtree="ou=administration,dc=plainjoe,dc=org"
    by group/groupOfNames/member= 
       "cn=admin,ou=group,dc=plainjoe,dc=org" write
    by * none


    		Preface
    		Part I: LDAP Basics
    		Part II: Application Integration
    		Part III: Appendixes
    		Appendix A. PAM and NSS
    		Appendix B. OpenLDAP Command-Line Tools
    		Appendix C. Common Attributes and Objects
    		Appendix D. LDAP RFCs, Internet-Drafts, and Mailing Lists
    		Appendix E. slapd.conf ACLs
    		E.1 What?
    		E.2 Who?
    		E.3 How Much?
    		E.4 Examples
    		Colophon