18.12. Defining Permissions

Permission rules define the rights that are associated with the ACI and whether access is allowed or denied.
In an ACI, the following highlighted part is the permission rule:
(target_rule) (version 3.0; acl "ACL_name"; permission_rule bind_rules;)

Syntax

The general syntax of a permission rule is:
permission (rights)

Example 18.11. Defining Permissions

To enable users stored in the ou=People,dc=example,dc=com entry to search and display all attributes in their own entry:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=People,dc=example,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///ou=People,dc=example,dc=com") (version 3.0;
 acl "Allow users to read and search attributes of own entry"; allow (search, read)
 (userdn = "userdn = "ldap:///self");)

18.12.1. User rights

The rights in a permission rule define what operations are granted or denied. In an ACI, you can set one or multiple of the following rights:

Table 18.1. User Rights

Right Description
read Sets whether users can read directory data. This permission applies only to search operations in LDAP.
write Sets whether users can modify an entry by adding, modifying, or deleting attributes. This permission applies to the modify and modrdn operations in LDAP.
add Sets whether users can create an entry. This permission applies only to the add operation in LDAP.
delete Sets whether users can delete an entry. This permission applies only to the delete operation in LDAP.
search Sets whether users can search for directory data. To view data returned as part of a search result, assign search and read rights. This permission applies only to search operations in LDAP.
compare Sets whether the users can compare data they supply with data stored in the directory. With compare rights, the directory returns a success or failure message in response to an inquiry, but the user cannot see the value of the entry or attribute. This permission applies only to the compare operation in LDAP.
selfwrite Sets whether users can add or delete their own DN from a group. This right is used only for group management.
proxy
Sets whether the specified DN can access the target with the rights of another entry. The proxy right is granted within the scope of the ACL, and the user or group who as the right granted can run commands as any Directory Server user. You cannot restrict the proxy rights to certain users.
For security reasons, set ACIs that use the proxy right at the most targeted level of the directory.
all Sets all of the rights, except proxy.

18.12.2. Rights Required for LDAP Operations

This section describes the rights you must grant to users depending on the type of LDAP operation you want to authorize them to perform.
  • Adding an entry:
    • Grant add permission on the entry that you want to add.
    • Grant write permission on the value of each attribute in the entry. This right is granted by default but can be restricted using the targetattrfilters keyword.
  • Deleting an entry:
    • Grant delete permission on the entry that you want to delete.
    • Grant write permission on the value of each attribute in the entry. This right is granted by default but can be restricted using the targetattrfilters keyword.
  • Modifying an attribute in an entry:
    • Grant write permission on the attribute type.
    • Grant write permission on the value of each attribute type. This right is granted by default but can be restricted using the targetattrfilters keyword.
  • Modifying the RDN of an entry:
    • Grant write permission on the entry.
    • Grant write permission on the attribute type that is used in the new RDN.
    • Grant write permission on the attribute type that is used in the old RDN, if you want to grant the right to delete the old RDN.
    • Grant write permission on the value of attribute type that is used in the new RDN. This right is granted by default but can be restricted using the targetattrfilters keyword.
  • Comparing the value of an attribute:
    • Grant compare permission on the attribute type.
  • Searching for entries:
    • Grant search permission on each attribute type used in the search filter.
    • Grant read permission on attribute types used in the entry.

18.12.3. Access Control and the modrdn Operation

To explicitly deny modrdn operations using ACIs, target the relevant entries but omit the targetattr keyword. For example, to add an ACI that defines the cn=example,ou=Groups,dc=example,dc=com group, cannot rename entries in ou=people,dc=example,dc=com which contain the cn attribute:
ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///cn=*,ou=people,dc=example,dc=com")
 (version 3.0; acl "Deny modrdn rights to the example group";
 deny(write) groupdn="ldap:///cn=example,ou=groups,dc=example,dc=com";)