18.10. Defining Permissions
Permission rules define the rights that are associated with the ACI and whether access is allowed or denied.
In an ACI, the following highlighted part is the permission rule:
(target_rule) (version 3.0; acl "ACL_name"; permission_rule bind_rules;)Syntax
The general syntax of a permission rule is:
permission (rights)
permission: Sets if the ACI allows or denies permission.rights: Sets the rights which the ACI allows or denies. See Section 18.10.1, “User rights”.
Example 18.11. Defining Permissions
To enable users stored in the
ou=People,dc=example,dc=com entry to search and display all attributes in their own entry:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///ou=People,dc=example,dc=com") (version 3.0;
acl "Allow users to read and search attributes of own entry"; allow (search, read)
(userdn = "ldap:///self");)18.10.1. User rights
The rights in a permission rule define what operations are granted or denied. In an ACI, you can set one or multiple of the following rights:
| Right | Description |
|---|---|
| read | Sets whether users can read directory data. This permission applies only to search operations in LDAP. |
| write | Sets whether users can modify an entry by adding, modifying, or deleting attributes. This permission applies to the modify and modrdn operations in LDAP. |
| add | Sets whether users can create an entry. This permission applies only to the add operation in LDAP. |
| delete | Sets whether users can delete an entry. This permission applies only to the delete operation in LDAP. |
| search | Sets whether users can search for directory data. To view data returned as part of a search result, assign search and read rights. This permission applies only to search operations in LDAP. |
| compare | Sets whether the users can compare data they supply with data stored in the directory. With compare rights, the directory returns a success or failure message in response to an inquiry, but the user cannot see the value of the entry or attribute. This permission applies only to the compare operation in LDAP. |
| selfwrite | Sets whether users can add or delete their own DN from a group. This right is used only for group management. |
| proxy |
Sets whether the specified DN can access the target with the rights of another entry. The
proxy right is granted within the scope of the ACL, and the user or group who as the right granted can run commands as any Directory Server user. You cannot restrict the proxy rights to certain users.
For security reasons, set ACIs that use the
proxy right at the most targeted level of the directory.
|
| all | Sets all of the rights, except proxy. |
18.10.2. Rights Required for LDAP Operations
This section describes the rights you must grant to users depending on the type of LDAP operation you want to authorize them to perform.
- Adding an entry:
- Grant
addpermission on the entry that you want to add. - Grant
writepermission on the value of each attribute in the entry. This right is granted by default but can be restricted using thetargattrfilterskeyword.
- Deleting an entry:
- Grant
deletepermission on the entry that you want to delete. - Grant
writepermission on the value of each attribute in the entry. This right is granted by default but can be restricted using thetargattrfilterskeyword.
- Modifying an attribute in an entry:
- Grant
writepermission on the attribute type. - Grant
writepermission on the value of each attribute type. This right is granted by default but can be restricted using thetargattrfilterskeyword.
- Modifying the RDN of an entry:
- Grant
writepermission on the entry. - Grant
writepermission on the attribute type that is used in the new RDN. - Grant
writepermission on the attribute type that is used in the old RDN, if you want to grant the right to delete the old RDN. - Grant
writepermission on the value of attribute type that is used in the new RDN. This right is granted by default but can be restricted using thetargattrfilterskeyword.
- Comparing the value of an attribute:
- Grant
comparepermission on the attribute type.
- Searching for entries:
- Grant
searchpermission on each attribute type used in the search filter. - Grant
readpermission on attribute types used in the entry.
18.10.3. Access Control and the modrdn Operation
To explicitly deny
modrdn operations using ACIs, target the relevant entries but omit the targetattr keyword. For example, to add an ACI that defines the cn=example,ou=Groups,dc=example,dc=com group, cannot rename entries in ou=people,dc=example,dc=com which contain the cn attribute:
ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///cn=*,ou=people,dc=example,dc=com") (version 3.0; acl "Deny modrdn rights to the example group"; deny(write) groupdn="ldap:///cn=example,ou=groups,dc=example,dc=com";)
