1# master slapd config -- for testing 2# OpenLDAP: pkg/ldap/tests/data/slapd-acl.conf,v 1.71.2.11 2010/04/19 19:14:26 quanah Exp 3## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4## 5## Copyright 1998-2010 The OpenLDAP Foundation. 6## All rights reserved. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted only as authorized by the OpenLDAP 10## Public License. 11## 12## A copy of this license is available in the file LICENSE in the 13## top-level directory of the distribution or, alternatively, at 14## <http://www.OpenLDAP.org/license.html>. 15 16include @SCHEMADIR@/core.schema 17include @SCHEMADIR@/cosine.schema 18include @SCHEMADIR@/inetorgperson.schema 19include @SCHEMADIR@/openldap.schema 20include @SCHEMADIR@/nis.schema 21pidfile @TESTDIR@/slapd.1.pid 22argsfile @TESTDIR@/slapd.1.args 23 24# global ACLs 25# 26# normal installations should protect root dse, cn=monitor, cn=subschema 27# 28 29access to dn.exact="" attrs=objectClass 30 by users read 31access to * 32 by * read 33 34#mod#modulepath ../servers/slapd/back-@BACKEND@/ 35#mod#moduleload back_@BACKEND@.la 36#monitormod#modulepath ../servers/slapd/back-monitor/ 37#monitormod#moduleload back_monitor.la 38 39####################################################################### 40# database definitions 41####################################################################### 42 43database @BACKEND@ 44 45suffix "dc=example,dc=com" 46rootdn "cn=Manager,dc=example,dc=com" 47rootpw secret 48#~null~#directory @TESTDIR@/db.1.a 49#bdb#index objectClass eq 50#bdb#index cn,sn,uid pres,eq,sub 51#hdb#index objectClass eq 52#hdb#index cn,sn,uid pres,eq,sub 53#ndb#dbname db_1 54#ndb#include @DATADIR@/ndb.conf 55add_content_acl on 56#access to attrs=objectclass dn.subtree="dc=example,dc=com" 57access to attrs=objectclass 58 by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add 59 by * =rsc stop 60 61#access to filter="(objectclass=person)" attrs=userpassword dn.subtree="dc=example,dc=com" 62access to filter="(objectclass=person)" attrs=userpassword 63 by anonymous auth 64 by self =wx 65 66access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" 67 attrs=cn val="Mark A Elliot" 68 by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read 69 by * break 70 71access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" 72 attrs=cn val="Mark Elliot" 73 by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read 74 by * break 75 76access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" 77 attrs=cn 78 by * search 79 80access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com" 81 attrs=cn val.regex="^John D.+" 82 by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read 83 by * break 84 85access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com" 86 attrs=cn val.regex="^Jonath.+" 87 by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read 88 by * break 89 90access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com" 91 attrs=cn 92 by * search 93 94access to dn.onelevel="ou=Information Technology Division,ou=People,dc=example,dc=com" 95 filter="(cn=*Jensen)" 96 attrs=cn val.regex=".*Jensen$" 97 by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read 98 by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read 99 by * break 100 101access to dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 102 attrs=cn 103 by * search 104 105access to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com" 106 by dn.regex=".+,dc=example,dc=com" +c continue 107 by dn.subtree="dc=example,dc=com" +rs continue 108 by dn.children="dc=example,dc=com" +d continue 109 by * stop 110 111#access to attrs=member,uniquemember dn.subtree="dc=example,dc=com" 112access to attrs=member,uniquemember 113 by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" selfwrite 114 by dnattr=member selfwrite 115 by dnattr=uniquemember selfwrite 116 by * read 117 118#access to attrs=member,uniquemember filter="(mail=*com)" dn.subtree="dc=example,dc=com" 119access to attrs=member,uniquemember filter="(mail=*com)" 120 by * read 121 122#access to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" dn.subtree="dc=example,dc=com" 123access to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" 124 by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" =sc continue 125 by dn.regex="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com$" +rw stop 126 by * break 127 128access to dn.children="ou=Information Technology Division,ou=People,dc=example,dc=com" 129 by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write 130 by * read 131 132access to dn.exact="cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com" 133 by set="[cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com]/member* & user" write 134 by * read 135 136#access to filter="(name=X*Y*Z)" dn.subtree="dc=example,dc=com" 137access to filter="(name=X*Y*Z)" 138 by * continue 139 140access to dn.subtree="ou=Add & Delete,dc=example,dc=com" 141 by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add 142 by dn.exact="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" delete 143 by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" write 144 by * read 145 146# fall into global ACLs 147 148#monitor#database monitor 149