Access Control

Review the following information about access control:
cszscss151
The access configuration file directive controls access to the CA LDAP Server entries and attributes. The general form of an access line is as follows:
<access directive> ::= access to <what> [by <who> <access> <control>]+ <what> ::= * | [ dn[.<target style>]=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>] <target style> ::= regex | base | one | subtree | children <attrlist> ::= <attr> | <attr> , <attrlist> <attr> ::= <attrname> | entry | children <who> ::= [* | anonymous | users | self | dn[.<subject style>]=<regex>] [dnattr=<attrname> ] [group[/<objectclass>[/<attrname>][.<basic style>]] =<regex> ] [peername[.<basic style>]=<regex>] [sockname[.<basic style>]=<regex>] [domain[.<basic style>]=<regex>] [sockurl[.<basic style>]=<regex>] [set=<setspec>] [aci=<attrname>] <subject style> ::= regex | exact | base | one | subtree | children <basic style> ::= regex | exact <access> ::= [self]{<level>|<priv>} <level> ::= none | auth | compare | search | read | write <priv> ::= {=|+|-}{w|r|s|c|x}+ <control> ::= [stop | continue | break]
  • <what>
    Selects the entries and attributes to which the access applies.
  • <who>
    Specifies which entities are granted access.
  • <access>
    Specifies the access granted.
Multiple <who><access><control> triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes.
Review the following information about access control:
Who to Grant Access To
The <what> part of an access specification determines the entries and attributes to which the access control applies. Select entries using two methods:
  • By a regular expression matching the distinguished name of the entry
  • By a filter matching some attributes in the entry
Examples
  • The following is an example of a regular expression:
dn=<regular expression>
The DN pattern that is specified should be normalized to the RFC2253 restricted DN form. Do not use extra spaces and commas to separate components.
  • The following is an example or a normalized DN:
cn=Babs Jensen,dc=example,dc=com
  • The following is an example of a non-normalized DN:
cn=Babs Jensen; dc=example; dc=com
  • The following is an example of a filter matching attributed:
filter=<ldap filter>
  • In this example, <ldap filter> is a string representation of a CA LDAP Server search filter, as described in RFC2254.
Attributes within an entry are selected by including a comma-separated list of attribute names in the <what> selector.
For example:
attrs=<attribute list>
Access to the entry itself must be granted or denied using the special attribute name "entry". Giving access to an attribute is not sufficient; access to the entry itself through the entry attribute is also required.
A special entry selector "*" is used to select any entry. The special entry selector is used when no other <what> selector has been provided, and is equivalent to "dn=.*"
What to Grant Access To
The <who> part identifies the entity or entities being granted access. Access is granted to "entities" not "entries." The following table summarizes entity specifiers:
Specifier
Entities
*
All, including anonymous and authenticated users
Anonymous
Anonymous (non-authenticated) users
users
Authenticated users
self
User associated with target entry
dn=<regex>
Users matching regular expression
The DN specifier takes a regular expression which is used to match against the normalized DN of the current entity.
dn=<regular expression>
Normalized means that all extra spaces have been removed from the entity's DN and commas are used to separate RDN components.
Other control factors are also supported. For example, a <what> can be restricted by a regular expression matching the client's domain name:
domain=<regular expression>
A <what> can also be restricted by an entry listed in a DN-valued attribute in the entry to which the access applies:
dnattr=<dn-valued attribute name>
The dnattr specification permits access to an entry whose DN is listed in an attribute of the entry. For example, give access to a group entry to whoever is listed as the owner of the group entry.
Access Types to Grant
The kind of <access> granted can be one of the following:
Level
Privileges
Description
none
N/A
no access
auth
=x
needed to bind
compare
=cx
needed to compare
search
=scx
needed to apply search filters
read
=rscx
needed to read search results
Write
=wrscx
needed to modify or rename
Each level includes all lower levels of access. For example, granting someone write access to an entry also grants them read, search, compare, and auth access. However, one can use the privileges specifier to grant specific permissions.