tests/data/slapd-acl.conf

# provider slapd config -- for testing
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.

include		@SCHEMADIR@/core.schema
include		@SCHEMADIR@/cosine.schema
include		@SCHEMADIR@/inetorgperson.schema
include		@SCHEMADIR@/openldap.schema
include		@SCHEMADIR@/nis.schema
pidfile		@TESTDIR@/slapd.1.pid
argsfile	@TESTDIR@/slapd.1.args

# global ACLs
#
# normal installations should protect root dse, cn=monitor, cn=subschema
#

access		to dn.exact="" attrs=objectClass
		by users read
access		to *
		by * read

#mod#modulepath	../servers/slapd/back-@BACKEND@/
#mod#moduleload	back_@BACKEND@.la

#######################################################################
# database definitions
#######################################################################

database	@BACKEND@

suffix		"dc=example,dc=com"
rootdn		"cn=Manager,dc=example,dc=com"
rootpw		secret
#~null~#directory	@TESTDIR@/db.1.a
#indexdb#index		objectClass	eq
#indexdb#index		cn,sn,uid	pres,eq,sub
#ndb#dbname db_1
#ndb#include @DATADIR@/ndb.conf
add_content_acl	on
#access		to attrs=objectclass dn.subtree="dc=example,dc=com"
access		to attrs=objectclass
		by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
		by * =rsc stop

#access		to filter="(objectclass=person)" attrs=userpassword dn.subtree="dc=example,dc=com"
access		to filter="(objectclass=person)" attrs=userpassword
		by anonymous auth
		by self =wx

access		to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
			attrs=cn val="Mark A Elliot"
		by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
		by * break

access		to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
			attrs=cn val="Mark Elliot"
		by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
		by * break

access		to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
			attrs=cn
		by * search

access		to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
			attrs=cn val.regex="^John D.+"
		by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
		by * break

access		to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
			attrs=cn val.regex="^Jonath.+"
		by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
		by * break

access		to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
			attrs=cn
		by * search

access		to dn.onelevel="ou=Information Technology Division,ou=People,dc=example,dc=com"
			filter="(cn=*Jensen)"
			attrs=cn val.regex=".*Jensen$"
		by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
		by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
		by * break

access		to dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
			attrs=cn
		by * search

access		to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com"
		by dn.regex=".+,dc=example,dc=com" +c continue
		by dn.subtree="dc=example,dc=com" +rs continue
		by dn.children="dc=example,dc=com" +d continue
		by * stop

#access		to attrs=member,uniquemember dn.subtree="dc=example,dc=com"
access		to attrs=member,uniquemember
		by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" selfwrite
		by dnattr=member selfwrite
		by dnattr=uniquemember selfwrite
		by * read

#access		to attrs=member,uniquemember filter="(mail=*com)" dn.subtree="dc=example,dc=com"
access		to attrs=member,uniquemember filter="(mail=*com)"
		by * read

#access		to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" dn.subtree="dc=example,dc=com"
access		to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))"
		by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" =sc continue
		by dn.regex="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com$" +rw stop
		by * break

access		to dn.children="ou=Information Technology Division,ou=People,dc=example,dc=com"
		by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write
		by * read

access		to dn.exact="cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com"
		by set="[cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com]/member* & user" write
		by * read

#access		to filter="(name=X*Y*Z)" dn.subtree="dc=example,dc=com"
access		to filter="(name=X*Y*Z)"
		by * continue

access		to dn.subtree="ou=Add & Delete,dc=example,dc=com"
		by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
		by dn.exact="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" delete
		by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" write
		by * read

# fall into global ACLs

database	monitor