Normally, SLAPD is configured using Access Control Lists in the slapd.conf configuration file. There is a need to support some access control definitions dynamically within the directory itself. Novell eDirectory has LDAP ACLs as an attribute, so they're in an LDIF file. Similarly, Sun Java One Directory has "ACI's" which are also in the LDIF file. In both cases, since they are in the LDIF, they can be imported and exported just by searching or modifying the entries.
The aeSLAPD implementation of ACIs is very similar, and is supported in
the Enterprise Server. The built-in attribute "OpenLDAPaci" is used:
attributetype (
1.3.6.1.4.1.4203.666.1.5 "
"NAME 'OpenLDAPaci' "
"DESC 'OpenLDAP access control information (experimental)' "
"EQUALITY OpenLDAPaciMatch "
"SYNTAX 1.3.6.1.4.1.4203.666.2.1 "
"USAGE directoryOperation )
The syntax of the attribute is:
OID#SCOPE#RIGHTS#TYPE#SUBJECT
An example of this is.
dn: uid=psmith,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgperson
uid: psmith
givenName: Phil
sn: Smith
cn: Phil Smith
mail: psmith@infoblox.com
userPassword: foobar
OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn=enterprise admins,ou=groups,o=acme
OpenLDAPaci: 2#entry#grant;r,w,s,c;[all]#group#cn=dallas admins,ou=groups,l=dallas,o=acme
OpenLDAPaci: 3#entry#grant;r,w,s,c;userPassword,mail;r,s,c;[all]#access-id#uid=user1,ou=People,dc=example,dc=com
OpenLDAPaci: 4#entry#grant;r,s,c;[all]#group#cn=all acme,ou=groups,o=acme