Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

18.10. Defining Permissions

Permission rules define the rights that are associated with the ACI and whether access is allowed or denied.
In an ACI, the following highlighted part is the permission rule: 
(target_rule) (version 3.0; acl "ACL_name"; permission_rule bind_rules;)
Copy to Clipboard Toggle word wrap

Syntax

The general syntax of a permission rule is: 
permission (rights)
Copy to Clipboard Toggle word wrap

Example 18.11. Defining Permissions

To enable users stored in the ou=People,dc=example,dc=com entry to search and display all attributes in their own entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///ou=People,dc=example,dc=com") (version 3.0;
 acl "Allow users to read and search attributes of own entry"; allow (search, read)
 (userdn = "ldap:///self");)
Copy to Clipboard Toggle word wrap

18.10.1. User rights
Copiar enlace

The rights in a permission rule define what operations are granted or denied. In an ACI, you can set one or multiple of the following rights:
Expand
Table 18.1. User Rights
Right Description
read Sets whether users can read directory data. This permission applies only to search operations in LDAP.
write Sets whether users can modify an entry by adding, modifying, or deleting attributes. This permission applies to the modify and modrdn operations in LDAP.
add Sets whether users can create an entry. This permission applies only to the add operation in LDAP.
delete Sets whether users can delete an entry. This permission applies only to the delete operation in LDAP.
search Sets whether users can search for directory data. To view data returned as part of a search result, assign search and read rights. This permission applies only to search operations in LDAP.
compare Sets whether the users can compare data they supply with data stored in the directory. With compare rights, the directory returns a success or failure message in response to an inquiry, but the user cannot see the value of the entry or attribute. This permission applies only to the compare operation in LDAP.
selfwrite Sets whether users can add or delete their own DN from a group. This right is used only for group management.
proxy
Sets whether the specified DN can access the target with the rights of another entry. The proxy right is granted within the scope of the ACL, and the user or group who as the right granted can run commands as any Directory Server user. You cannot restrict the proxy rights to certain users.
For security reasons, set ACIs that use the proxy right at the most targeted level of the directory.
all Sets all of the rights, except proxy.

18.10.2. Rights Required for LDAP Operations
Copiar enlace

This section describes the rights you must grant to users depending on the type of LDAP operation you want to authorize them to perform.
  • Adding an entry:
    • Grant add permission on the entry that you want to add.
    • Grant write permission on the value of each attribute in the entry. This right is granted by default but can be restricted using the targattrfilters keyword.
  • Deleting an entry:
    • Grant delete permission on the entry that you want to delete.
    • Grant write permission on the value of each attribute in the entry. This right is granted by default but can be restricted using the targattrfilters keyword.
  • Modifying an attribute in an entry:
    • Grant write permission on the attribute type.
    • Grant write permission on the value of each attribute type. This right is granted by default but can be restricted using the targattrfilters keyword.
  • Modifying the RDN of an entry:
    • Grant write permission on the entry.
    • Grant write permission on the attribute type that is used in the new RDN.
    • Grant write permission on the attribute type that is used in the old RDN, if you want to grant the right to delete the old RDN.
    • Grant write permission on the value of attribute type that is used in the new RDN. This right is granted by default but can be restricted using the targattrfilters keyword.
  • Comparing the value of an attribute:
    • Grant compare permission on the attribute type.
  • Searching for entries:
    • Grant search permission on each attribute type used in the search filter.
    • Grant read permission on attribute types used in the entry.

18.10.3. Access Control and the modrdn Operation
Copiar enlace

To explicitly deny modrdn operations using ACIs, target the relevant entries but omit the targetattr keyword. For example, to add an ACI that defines the cn=example,ou=Groups,dc=example,dc=com group, cannot rename entries in ou=people,dc=example,dc=com which contain the cn attribute: 
ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///cn=*,ou=people,dc=example,dc=com")
 (version 3.0; acl "Deny modrdn rights to the example group";
 deny(write) groupdn="ldap:///cn=example,ou=groups,dc=example,dc=com";)
Copy to Clipboard Toggle word wrap
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat