DITの設計とも密接に関係してくるのがこのACLの設定で、つまるところLDAP設計の一番重要な所とも言える。ACLとはすなわち 「誰が」「何に対して」「何が出来るか」という制御を行うもので、簡単に言えば権限管理である。実はdebianのパッケージでslapdを導入すると、これらのリストが既に設定されている。

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=example,dc=com" write
        by * read


ldapsearch -x -b "dc=example,dc=com" 


#access to dn.base="" by * read ←これと
access to *
        by dn="cn=admin,dc=example,dc=com" write
#        by * read ←これ


注意: この状態だとcn=admin…はwriteしか行えないように見えるが実際はreadも出来る。writeは読み書きを意味している


slapd/acl.txt · 最終更新: 2014/01/16 16:46 by admin Creative Commons License Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0