OpenLDAP supports two modes of defining access. The general form of the access specifier clause is:
[self]{level|priv}
The special modifier self
implies special access
to self-owned attributes such as the member attribute in a group.
While the access level model implements incremental access (higher
access includes lower access levels), the privilege model requires
that an administrator explicitly define access for each permission
using the =
, +
, and
-
operators to reset, add, and remove permissions,
respectively (see Table E-3).
Access level |
Privilege |
Permission granted |
|
|
Access to update attribute values (e.g., change this
|
|
|
Access to read search results (e.g., Show me all the entries with a
|
|
|
Access to apply search filters (e.g., Are there any entries with a
|
|
|
Access to compare attributes (e.g., Is your
|
|
|
Access to bind (authenticate). This requires that the client send a username in the form of a DN and some type of credentials to prove his or her identity. |
|
No access. |
Control flow from one access rule to the next can be managed by the
keywords stop
, continue
, and
break
(see Table E-4).