Skip to content Skip to site navigation

OpenLDAP ACL Examples

Writing Access Control Lists (ACLs) in OpenLDAP can be one of the most difficult tasks to undertake. One needs to really consider what goals they are trying to accomplish with their ACLs. The order of the ACL's can be of particular importance as well. It is very important to read the slapd.access(5) manpage, as it details ACL's and the possibilities in a very detailed manner. Here are some ACLs with commentary on what they do.

Access to Directory rootDSE

access to dn.base=""
        by * read

This ACL gives incoming connections the ability to read the rootDSE. It is very important to allow this, as incoming clients may need to obtain information from the base level (such as your supported SASL Mechs). The ".base" portion of the ACL restricts clients to querying only the top level

Access to Directory Monitor Statistics

access to dn.subtree="cn=monitor"
        by * read

This ACL says anyone can read from the monitor subtree. The monitor backend provides statistics that can be used to graphically represent how the LDAP server is behaving. The ".subtree" of the ACL means that all entries starting at "cn=monitor" can be read.

Read Access to Entire Directory

access to *
        by dn.base="cn=replicator,cn=Service,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 write
        by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 read
        by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 read
        by dn.base="cn=RegistryDataAuditor,cn=Service,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 read
        by * break

This ACL is a bit more complex. It says that the above DN's have full read into the database. "sasl_ssf" says that a SASL security strength factor of 56 (56-bit encryption) is required for the operation to be successful. The "group.base" portion grants access to the distinguished names in the group.  LDAP groups are directory entries of objectClass groupOfNames and contain member attributes that are distinguished names.  The "by * break" line means that if a bound entity does not match the above rules, continue evaluating the ACL file.

Access to Selected Attributes and Entries

access to dn.children="cn=Accounts,dc=stanford,dc=edu" filter=(suSeasStatus=active) attrs=suSeasSunetID,suMailDrop
        by dn.base="cn=StanfordMailRouter,cn=Service,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 read
        by * break

This ACL adds a few more dimensions. The "filter" piece says that if "suSeasStatus" has a value "active", proceed. The "attrs" part says which attributes can be returned.

Access Using a Regular Expression

access to dn.children="cn=people,dc=stanford,dc=edu" attrs=suPrivilegeGroup val.regex="^stanford:.+"
        by group.base="cn=WebAuthPrivileged,cn=applications,dc=stanford,dc=edu" sasl_ssf=56 read
        by group.base="cn=WebAuthGeneral,cn=applications,dc=stanford,dc=edu" sasl_ssf=56 read
        by * break

This ACL states that read access is granted on the suPrivilegeGroup attribute when the values of the attribute start with stanford:. Other values of the suPrivilegeGroup will not be displayed via this ACL.

Access using Sets

access to dn.children="cn=people,dc=stanford,dc=edu"
    by set.exact="this/uid & user/uid" sasl_ssf=56 read

This ACL states that read access is granted to an entry in the cn=people,dc=stanford,dc=edu subtree when the value for uid in that entry matches the value for uid of the user that bound to the directory server. Sets are extremely powerful in the way in which they can be used. They are not currently well documented, and are somewhat experimental.

Anonymous Read Access Entries

access to dn.children="dc=example,dc=com"
    by domain.regex=example.com anonymous read
    by peername.ip=127.0.0.1 anonymous read

This ACL restricts access to the children of dc=example,dc=com to anonymous searches from hosts residing in example.com and to anonymous searches from localhost.

Last modified March 12, 2015