xref: /netbsd-src/external/bsd/openldap/dist/tests/data/slapd-acl.conf (revision cef8759bd76c1b621f8eab8faa6f208faabc2e15) 
1# master slapd config -- for testing
2# $OpenLDAP$
3## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4##
5## Copyright 1998-2020 The OpenLDAP Foundation.
6## All rights reserved.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted only as authorized by the OpenLDAP
10## Public License.
11##
12## A copy of this license is available in the file LICENSE in the
13## top-level directory of the distribution or, alternatively, at
14## <http://www.OpenLDAP.org/license.html>.
15
16include		@SCHEMADIR@/core.schema
17include		@SCHEMADIR@/cosine.schema
18include		@SCHEMADIR@/inetorgperson.schema
19include		@SCHEMADIR@/openldap.schema
20include		@SCHEMADIR@/nis.schema
21pidfile		@TESTDIR@/slapd.1.pid
22argsfile	@TESTDIR@/slapd.1.args
23
24# global ACLs
25#
26# normal installations should protect root dse, cn=monitor, cn=subschema
27#
28
29access		to dn.exact="" attrs=objectClass
30		by users read
31access		to *
32		by * read
33
34#mod#modulepath	../servers/slapd/back-@BACKEND@/
35#mod#moduleload	back_@BACKEND@.la
36#monitormod#modulepath ../servers/slapd/back-monitor/
37#monitormod#moduleload back_monitor.la
38
39#######################################################################
40# database definitions
41#######################################################################
42
43database	@BACKEND@
44
45suffix		"dc=example,dc=com"
46rootdn		"cn=Manager,dc=example,dc=com"
47rootpw		secret
48#~null~#directory	@TESTDIR@/db.1.a
49#indexdb#index		objectClass	eq
50#indexdb#index		cn,sn,uid	pres,eq,sub
51#ndb#dbname db_1
52#ndb#include @DATADIR@/ndb.conf
53add_content_acl	on
54#access		to attrs=objectclass dn.subtree="dc=example,dc=com"
55access		to attrs=objectclass
56		by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
57		by * =rsc stop
58
59#access		to filter="(objectclass=person)" attrs=userpassword dn.subtree="dc=example,dc=com"
60access		to filter="(objectclass=person)" attrs=userpassword
61		by anonymous auth
62		by self =wx
63
64access		to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
65			attrs=cn val="Mark A Elliot"
66		by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
67		by * break
68
69access		to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
70			attrs=cn val="Mark Elliot"
71		by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
72		by * break
73
74access		to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
75			attrs=cn
76		by * search
77
78access		to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
79			attrs=cn val.regex="^John D.+"
80		by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
81		by * break
82
83access		to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
84			attrs=cn val.regex="^Jonath.+"
85		by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
86		by * break
87
88access		to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
89			attrs=cn
90		by * search
91
92access		to dn.onelevel="ou=Information Technology Division,ou=People,dc=example,dc=com"
93			filter="(cn=*Jensen)"
94			attrs=cn val.regex=".*Jensen$"
95		by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
96		by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
97		by * break
98
99access		to dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
100			attrs=cn
101		by * search
102
103access		to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com"
104		by dn.regex=".+,dc=example,dc=com" +c continue
105		by dn.subtree="dc=example,dc=com" +rs continue
106		by dn.children="dc=example,dc=com" +d continue
107		by * stop
108
109#access		to attrs=member,uniquemember dn.subtree="dc=example,dc=com"
110access		to attrs=member,uniquemember
111		by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" selfwrite
112		by dnattr=member selfwrite
113		by dnattr=uniquemember selfwrite
114		by * read
115
116#access		to attrs=member,uniquemember filter="(mail=*com)" dn.subtree="dc=example,dc=com"
117access		to attrs=member,uniquemember filter="(mail=*com)"
118		by * read
119
120#access		to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" dn.subtree="dc=example,dc=com"
121access		to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))"
122		by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" =sc continue
123		by dn.regex="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com$" +rw stop
124		by * break
125
126access		to dn.children="ou=Information Technology Division,ou=People,dc=example,dc=com"
127		by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write
128		by * read
129
130access		to dn.exact="cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com"
131		by set="[cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com]/member* & user" write
132		by * read
133
134#access		to filter="(name=X*Y*Z)" dn.subtree="dc=example,dc=com"
135access		to filter="(name=X*Y*Z)"
136		by * continue
137
138access		to dn.subtree="ou=Add & Delete,dc=example,dc=com"
139		by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
140		by dn.exact="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" delete
141		by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" write
142		by * read
143
144# fall into global ACLs
145
146#monitor#database	monitor
147