slapd.access(5)

1SLAPD.ACCESS(5)               File Formats Manual              SLAPD.ACCESS(5)
2
3
4

NAME

6       slapd.access  -  access  configuration  for slapd, the stand-alone LDAP
7       daemon
8

SYNOPSIS

10       /etc/openldap/slapd.conf
11

DESCRIPTION

13       The slapd.conf(5)  file  contains  configuration  information  for  the
14       slapd(8)  daemon. This configuration file is also used by the slurpd(8)
15       replication daemon and by the SLAPD tools slapacl(8), slapadd(8),  sla‐
16       pauth(8), slapcat(8), slapdn(8), slapindex(8), and slaptest(8).
17
18       The  slapd.conf  file  consists  of  a  series  of global configuration
19       options that apply to slapd as a whole (including all  backends),  fol‐
20       lowed  by zero or more database backend definitions that contain infor‐
21       mation specific to a backend instance.
22
23       The general format of slapd.conf is as follows:
24
25           # comment - these options apply to every database
26           <global configuration options>
27           # first database definition & configuration options
28           database    <backend 1 type>
29           <configuration options specific to backend 1>
30           # subsequent database definitions & configuration options
31           ...
32
33       Both the global configuration and  each  backend-specific  section  can
34       contain access information.  Backend-specific access control directives
35       are used for those entries that belong to  the  backend,  according  to
36       their naming context.  In case no access control directives are defined
37       for a backend or those which are defined are not applicable, the direc‐
38       tives from the global configuration section are then used.
39
40       If no access controls are present, the default policy allows anyone and
41       everyone to read anything but  restricts  updates  to  rootdn.   (e.g.,
42       "access  to * by * read").  The rootdn can always read and write EVERY‐
43       THING!
44
45       For entries not held in any backend (such as a root  DSE),  the  direc‐
46       tives of the first backend (and any global directives) are used.
47
48       Arguments  that should be replaced by actual text are shown in brackets
49       <>.
50

THE ACCESS DIRECTIVE

52       The structure of the access control directives is
53
54       access to <what> [ by <who> [ <access> ] [ <control> ] ]+
55              Grant access (specified by <access>) to a set of entries  and/or
56              attributes  (specified  by  <what>)  by  one  or more requestors
57              (specified by <who>).
58

THE <WHAT> FIELD

60       The field <what> specifies the  entity  the  access  control  directive
61       applies to.  It can have the forms
62
63            dn[.<dnstyle>]=<dnpattern>
64            filter=<ldapfilter>
65            attrs=<attrlist>[ val[/matchingRule][.<attrstyle>]=<attrval>]
66
67       with
68
69            <dnstyle>={{exact|base(object)}|regex
70                 |one(level)|sub(tree)|children}
71            <attrlist>={<attr>|[{!|@}]<objectClass>}[,<attrlist>]
72            <attrstyle>={{exact|base(object)}|regex
73                 |one(level)|sub(tree)|children}
74
75       The  statement dn=<dnpattern> selects the entries based on their naming
76       context.  The <dnpattern> is a string representation of the entry's DN.
77       The  wildcard  * stands for all the entries, and it is implied if no dn
78       form is given.
79
80       The <dnstyle> is optional; however, it is recommended to specify it  to
81       avoid ambiguities.  Base (synonym of baseObject), the default, or exact
82       (an alias of base) indicates the entry whose DN is equal to the <dnpat‐
83       tern>;  one (synonym of onelevel) indicates all the entries immediately
84       below the <dnpattern>, sub (synonym of subtree) indicates  all  entries
85       in  the  subtree at the <dnpattern>, children indicates all the entries
86       below (subordinate to) the <dnpattern>.
87
88       If the <dnstyle> qualifier  is  regex,  then  <dnpattern>  is  a  POSIX
89       (''extended'')  regular  expression  pattern,  as  detailed in regex(7)
90       and/or re_format(7), matching a normalized string representation of the
91       entry's  DN.   The  regex  form  of  the pattern does not (yet) support
92       UTF-8.
93
94       The statement filter=<ldapfilter> selects the entries based on a  valid
95       LDAP  filter  as described in RFC 2254.  A filter of (objectClass=*) is
96       implied if no filter form is given.
97
98       The statement attrs=<attrlist> selects the attributes the  access  con‐
99       trol rule applies to.  It is a comma-separated list of attribute types,
100       plus the special names entry, indicating access to  the  entry  itself,
101       and  children,  indicating  access to the entry's children. ObjectClass
102       names may also be specified in this list, which  will  affect  all  the
103       attributes that are required and/or allowed by that objectClass.  Actu‐
104       ally, names in <attrlist> that are prefixed by @ are  directly  treated
105       as  objectClass  names.   A  name  prefixed by !  is also treated as an
106       objectClass, but in this case the access rule  affects  the  attributes
107       that  are  not  required  nor allowed by that objectClass.  If no attrs
108       form is given, attrs=@extensibleObject is implied, i.e. all  attributes
109       are addressed.
110
111       Using  the form attrs=<attr> val[/matchingRule][.<attrstyle>]=<attrval>
112       specifies access to a particular value of a single attribute.  In  this
113       case,  only a single attribute type may be given. The <attrstyle> exact
114       (the default) uses the attribute's equality matching  rule  to  compare
115       the  value, unless a different (and compatible) matching rule is speci‐
116       fied. If the <attrstyle> is regex, the provided  value  is  used  as  a
117       POSIX  (''extended'') regular expression pattern.  If the attribute has
118       DN syntax, the <attrstyle> can be any of  base,  onelevel,  subtree  or
119       children,  resulting  in  base,  onelevel,  subtree  or children match,
120       respectively.
121
122       The dn, filter, and attrs statements are additive; they can be used  in
123       sequence  to select entities the access rule applies to based on naming
124       context, value and attribute type simultaneously.
125

THE <WHO> FIELD

127       The field <who> indicates whom the access  rules  apply  to.   Multiple
128       <who>  statements can appear in an access control statement, indicating
129       the different access privileges to the same resource that apply to dif‐
130       ferent accessee.  It can have the forms
131
132            *
133            anonymous
134            users
135            self[.<selfstyle>]
136
137            dn[.<dnstyle>[,<modifier>]]=<DN>
138            dnattr=<attrname>
139
140            realanonymous
141            realusers
142            realself[.<selfstyle>]
143
144            realdn[.<dnstyle>[,<modifier>]]=<DN>
145            realdnattr=<attrname>
146
147            group[/<objectclass>[/<attrname>]]
148                 [.<groupstyle>]=<group>
149            peername[.<peernamestyle>]=<peername>
150            sockname[.<style>]=<sockname>
151            domain[.<domainstyle>[,<modifier>]]=<domain>
152            sockurl[.<style>]=<sockurl>
153            set[.<setstyle>]=<pattern>
154
155            ssf=<n>
156            transport_ssf=<n>
157            tls_ssf=<n>
158            sasl_ssf=<n>
159
160            aci[=<attrname>]
161            dynacl/name[/<options>][.<dynstyle>][=<pattern>]
162
163       with
164
165            <style>={exact|regex|expand}
166            <selfstyle>={level{<n>}}
167            <dnstyle>={{exact|base(object)}|regex
168                 |one(level)|sub(tree)|children|level{<n>}}
169            <groupstyle>={exact|expand}
170            <peernamestyle>={<style>|ip|path}
171            <domainstyle>={exact|regex|sub(tree)}
172            <setstyle>={exact|regex}
173            <modifier>={expand}
174
175       They may be specified in combination.
176
177       The wildcard * refers to everybody.
178
179       The keywords prefixed by real act as their counterparts without prefix;
180       the checking respectively occurs with the  authentication  DN  and  the
181       authorization DN.
182
183       The  keyword  anonymous  means  access  is  granted  to unauthenticated
184       clients; it is mostly used to limit access to authentication  resources
185       (e.g.  the  userPassword  attribute)  to  unauthenticated  clients  for
186       authentication purposes.
187
188       The keyword users means access is granted to authenticated clients.
189
190       The keyword self means access to an  entry  is  allowed  to  the  entry
191       itself  (e.g. the entry being accessed and the requesting entry must be
192       the same).  It allows the level{<n>} style, where  <n>  indicates  what
193       ancestor  of  the  DN is to be used in matches.  A positive value indi‐
194       cates that the <n>-th ancestor of the user's DN is to be considered;  a
195       negative  value  indicates that the <n>-th ancestor of the target is to
196       be considered.  For example, a  "by  self.level{1}  ..."  clause  would
197       match    when   the   object   "dc=example,dc=com"   is   accessed   by
198       "cn=User,dc=example,dc=com".  A "by self.level{-1}  ..."  clause  would
199       match   when   the   same   user   accesses   the   object  "ou=Address
200       Book,cn=User,dc=example,dc=com".
201
202       The statement dn=<DN> means that access is granted to the matching  DN.
203       The  optional style qualifier dnstyle allows the same choices of the dn
204       form of the <what> field.  In addition, the  regex  style  can  exploit
205       substring  substitution  of submatches in the <what> dn.regex clause by
206       using the form $<digit>, with digit  ranging  from  0  to  9  (where  0
207       matches  the  entire  string),  or the form ${<digit>+}, for submatches
208       higher than 9.  Since the dollar character is used to indicate  a  sub‐
209       string replacement, the dollar character that is used to indicate match
210       up to the end of the string must be escaped by a second dollar  charac‐
211       ter, e.g.
212
213           access to dn.regex="^(.+,)?uid=([^,]+),dc=[^,]+,dc=com$"
214               by dn.regex="^uid=$2,dc=[^,]+,dc=com$$" write
215
216       The  style qualifier allows an optional modifier.  At present, the only
217       type allowed is expand, which causes  substring  substitution  of  sub‐
218       matches  to  take  place  even  if dnstyle is not regex.  Note that the
219       regex dnstyle in the above example may be  of  use  only  if  the  <by>
220       clause needs to be a regex; otherwise, if the value of the second (from
221       the right) dc= portion of the DN in the above example were  fixed,  the
222       form
223
224           access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$"
225               by dn.exact,expand="uid=$2,dc=example,dc=com" write
226
227       could  be  used; if it had to match the value in the <what> clause, the
228       form
229
230           access to dn.regex="^(.+,)?uid=([^,]+),dc=([^,]+),dc=com$"
231               by dn.exact,expand="uid=$2,dc=$3,dc=com" write
232
233       could be used.
234
235       Forms of the <what> clause other than regex may provide  submatches  as
236       well.   The  base(object), the sub(tree), the one(level), and the chil‐
237       dren forms  provide  $0  as  the  match  of  the  entire  string.   The
238       sub(tree),  the  one(level),  and the children forms also provide $1 as
239       the match of the rightmost part of the DN  as  defined  in  the  <what>
240       clause.  This may be useful, for instance, to provide access to all the
241       ancestors of a user by defining
242
243           access to dn.subtree="dc=com"
244               by dn.subtree,expand="$1" read
245
246       which means that only access to entries that appear in the  DN  of  the
247       <by> clause is allowed.
248
249       The  level{<n>}  form  is  an  extension  and  a  generalization of the
250       onelevel form, which matches all DNs whose <n>-th ancestor is the  pat‐
251       tern.   So, level{1} is equivalent to onelevel, and level{0} is equiva‐
252       lent to base.
253
254       It is perfectly useless to give any access  privileges  to  a  DN  that
255       exactly  matches  the rootdn of the database the ACLs apply to, because
256       it implicitly possesses write privileges for the entire  tree  of  that
257       database.   Actually,  access  control  is  bypassed for the rootdn, to
258       solve the intrinsic chicken-and-egg problem.
259
260       The  statement  dnattr=<attrname>  means  that  access  is  granted  to
261       requests  whose  DN  is  listed  in  the entry being accessed under the
262       <attrname> attribute.
263
264       The statement group=<group> means that access is  granted  to  requests
265       whose  DN  is  listed  in the group entry whose DN is given by <group>.
266       The optional parameters <objectclass> and <attrname> define the object‐
267       Class  and  the  member attributeType of the group entry.  The defaults
268       are groupOfNames and member, respectively.  The optional  style  quali‐
269       fier  <style>  can be expand, which means that <group> will be expanded
270       as a replacement string (but not as a regular expression) according  to
271       regex(7)  and/or  re_format(7), and exact, which means that exact match
272       will be used.  If the style of the DN portion of the <what>  clause  is
273       regex,  the  submatches are made available according to regex(7) and/or
274       re_format(7); other styles  provide  limited  submatches  as  discussed
275       above about the DN form of the <by> clause.
276
277       For static groups, the specified attributeType must have Distinguished‐
278       Name or NameAndOptionalUID syntax. For dynamic groups the attributeType
279       must  be  a  subtype of the labeledURI attributeType. Only LDAP URIs of
280       the  form  ldap:///<base>??<scope>?<filter>  will  be  evaluated  in  a
281       dynamic group, by searching the local server only.
282
283       The      statements      peername=<peername>,      sockname=<sockname>,
284       domain=<domain>, and sockurl=<sockurl> mean that the contacting host IP
285       (in  the  form  IP=<ip>:<port>)  or the contacting host named pipe file
286       name (in the form PATH=<path> if connecting through a named  pipe)  for
287       peername,  the  named  pipe file name for sockname, the contacting host
288       name for domain, and  the  contacting  URL  for  sockurl  are  compared
289       against  pattern to determine access.  The same style rules for pattern
290       match described for the group case apply, plus the regex  style,  which
291       implies submatch expand and regex match of the corresponding connection
292       parameters.  The exact style of the  <peername>  clause  (the  default)
293       implies a case-exact match on the client's IP, including the IP= prefix
294       and the trailing :<port>, or the client's  path,  including  the  PATH=
295       prefix if connecting through a named pipe.  The special ip style inter‐
296       prets the pattern as <peername>=<ip>[%<mask>][{<n>}],  where  <ip>  and
297       <mask>  are  dotted digit representations of the IP and the mask, while
298       <n>, delimited by curly brackets, is an optional port.   When  checking
299       access  privileges, the IP portion of the peername is extracted, elimi‐
300       nating the IP= prefix and the :<port> part, and it is compared  against
301       the <ip> portion of the pattern after masking with <mask>.  As an exam‐
302       ple, peername.ip=127.0.0.1  allows  connections  only  from  localhost,
303       peername.ip=192.168.1.0%255.255.255.0 allows connections from any IP in
304       the      192.168.1      class      C      domain,       and       peer‐
305       name.ip=192.168.1.16%255.255.255.240{9009}  allows connections from any
306       IP in the 192.168.1.[16-31] range of the same domain, only if port 9009
307       is  used.   The special path style eliminates the PATH= prefix from the
308       peername when connecting through a named pipe, and  performs  an  exact
309       match  on  the given pattern.  The <domain> clause also allows the sub‐
310       tree style, which succeeds when a fully qualified name exactly  matches
311       the  domain pattern, or its trailing part, after a dot, exactly matches
312       the domain pattern.  The expand style is  allowed,  implying  an  exact
313       match with submatch expansion; the use of expand as a style modifier is
314       considered more appropriate.  As an example, domain.subtree=example.com
315       will  match www.example.com, but will not match www.anotherexample.com.
316       The domain of the contacting host is determined  by  performing  a  DNS
317       reverse  lookup.   As  this  lookup  can  easily be spoofed, use of the
318       domain statement is strongly discouraged.  By default, reverse  lookups
319       are  disabled.   The  optional  domainstyle  qualifier  of the <domain>
320       clause allows a modifier option; the only value currently supported  is
321       expand, which causes substring substitution of submatches to take place
322       even if the domainstyle is not regex, much like the analogous usage  in
323       <dn> clause.
324
325       The statement set=<pattern> is undocumented yet.
326
327       The  statement aci[=<attrname>] means that the access control is deter‐
328       mined by the values in the attrname of the entry itself.  The  optional
329       <attrname>  indicates  what  attributeType holds the ACI information in
330       the entry.  By default, the OpenLDAPaci operational attribute is  used.
331       ACIs are experimental; they must be enabled at compile time.
332
333       The  statement dynacl/<name>[/<options>][.<dynstyle>][=<pattern>] means
334       that access checking is delegated to the admin-defined method indicated
335       by  <name>,  which  can  be registered at run-time by means of the mod‐
336       uleload statement.  The fields <options>, <dynstyle> and <pattern>  are
337       optional,  and  are  directly passed to the registered parsing routine.
338       Dynacl is experimental; it must be enabled at compile time.  If  dynacl
339       and  ACIs are both enabled, ACIs are cast into the dynacl scheme, where
340       <name>=aci and, optionally, <patten>=<attrname>.  However, the original
341       ACI syntax is preserved for backward compatibility.
342
343       The    statements    ssf=<n>,   transport_ssf=<n>,   tls_ssf=<n>,   and
344       sasl_ssf=<n> set the minimum required Security  Strength  Factor  (ssf)
345       needed to grant access.  The value should be positive integer.
346

THE <ACCESS> FIELD

348       The  field  <access>  ::=  [[real]self]{<level>|<priv>}  determines the
349       access level or the specific access privileges the who field will have.
350       Its component are defined as
351
352            <level> ::= none|disclose|auth|compare|search|read|write
353            <priv> ::= {=|+|-}{w|r|s|c|x|d|0}+
354
355       The  modifier  self  allows  special  operations  like having a certain
356       access level or privilege only in case the operation involves the  name
357       of  the  user  that's  requesting the access.  It implies the user that
358       requests access is authorized.  The modifier  realself  refers  to  the
359       authenticated  DN as opposed to the authorized DN of the self modifier.
360       An example is the selfwrite access to the member attribute of a  group,
361       which  allows  one  to  add/delete its own DN from the member list of a
362       group, without affecting other members.
363
364       The level access model relies on an incremental interpretation  of  the
365       access  privileges.  The possible levels are none, disclose, auth, com‐
366       pare, search, read, and write.  Each access level implies all the  pre‐
367       ceding ones, thus write access will imply all accesses.
368
369       The  none  access  level  disallows  all access including disclosure on
370       error.
371
372       The disclose access level allows disclosure of information on error.
373
374       The auth access level means that one is allowed access to an  attribute
375       to perform authentication/authorization operations (e.g.  bind) with no
376       other access.  This is useful  to  grant  unauthenticated  clients  the
377       least possible access level to critical resources, like passwords.
378
379       The  priv  access model relies on the explicit setting of access privi‐
380       leges for each clause.  The = sign resets previously defined  accesses;
381       as  a  consequence,  the  final  access  privileges  will be only those
382       defined by the clause.  The + and - signs add/remove access  privileges
383       to  the  existing  ones.  The privileges are w for write, r for read, s
384       for search, c for compare, x for authentication, and  d  for  disclose.
385       More than one of the above privileges can be added in one statement.  0
386       indicates no privileges and is used only by itself (e.g., +0).   If  no
387       access is given, it defaults to +0.
388

THE <CONTROL> FIELD

390       The  optional field <control> controls the flow of access rule applica‐
391       tion.  It can have the forms
392
393            stop
394            continue
395            break
396
397       where stop, the default, means access checking stops in case of  match.
398       The  other two forms are used to keep on processing access clauses.  In
399       detail, the continue form allows for other <who> clauses  in  the  same
400       <access>  clause to be considered, so that they may result in incremen‐
401       tally altering the privileges, while the break form  allows  for  other
402       <access>  clauses that match the same target to be processed.  Consider
403       the (silly) example
404
405            access to dn.subtree="dc=example,dc=com" attrs=cn
406                 by * =cs break
407
408            access to dn.subtree="ou=People,dc=example,dc=com"
409                 by * +r
410
411       which allows search and  compare  privileges  to  everybody  under  the
412       "dc=example,dc=com"  tree,  with  the second rule allowing also read in
413       the "ou=People" subtree, or the (even more silly) example
414
415            access to dn.subtree="dc=example,dc=com" attrs=cn
416                 by * =cs continue
417                 by users +r
418
419       which grants everybody search and compare  privileges,  and  adds  read
420       privileges to authenticated clients.
421
422       One useful application is to easily grant write privileges to an updat‐
423       edn that is different from the rootdn.  In this case, since the  updat‐
424       edn needs write access to (almost) all data, one can use
425
426            access to *
427                 by dn.exact="cn=The Update DN,dc=example,dc=com" write
428                 by * break
429
430       as  the  first  access rule.  As a consequence, unless the operation is
431       performed with the updatedn identity, control is passed straight to the
432       subsequent rules.
433
434

OPERATION REQUIREMENTS

436       Operations  require  different  privileges  on  different  portions  of
437       entries.  The following summary applies to  primary  database  backends
438       such as the BDB and HDB backends.   Requirements for other backends may
439       (and often do) differ.
440
441
442       The add  operation  requires  write  (=w)  privileges  on  the  pseudo-
443       attribute  entry of the entry being added, and write (=w) privileges on
444       the pseudo-attribute children of the entry's parent.  When  adding  the
445       suffix  entry  of  a database, write access to children of the empty DN
446       ("") is required.
447
448
449       The bind operation, when  credentials  are  stored  in  the  directory,
450       requires  auth  (=x)  privileges  on  the attribute the credentials are
451       stored in (usually userPassword).
452
453
454       The compare operation requires compare (=c) privileges on the attribute
455       that is being compared.
456
457
458       The  delete  operation  requires  write  (=w) privileges on the pseudo-
459       attribute entry of the entry being deleted, and write  (=w)  privileges
460       on the children pseudo-attribute of the entry's parent.
461
462
463       The  modify  operation requires write (=w) privileges on the attributes
464       being modified.
465
466
467       The modrdn operation requires write  (=w)  privileges  on  the  pseudo-
468       attribute entry of the entry whose relative DN is being modified, write
469       (=w) privileges on the pseudo-attribute children of  the  old  and  new
470       entry's  parents,  and write (=w) privileges on the attributes that are
471       present in the  new  relative  DN.   Write  (=w)  privileges  are  also
472       required  on  the attributes that are present in the old relative DN if
473       deleteoldrdn is set to 1.
474
475
476       The search operation, requires search  (=s)  privileges  on  the  entry
477       pseudo-attribute  of  the  searchBase  (NOTE:  this was introduced with
478       2.3).  Then, for each entry, it requires search (=s) privileges on  the
479       attributes  that  are defined in the filter.  The resulting entries are
480       finally tested for read (=r) privileges on the  pseudo-attribute  entry
481       (for  read access to the entry itself) and for read (=r) access on each
482       value of each attribute that is requested.   Also,  for  each  referral
483       object  used  in  generating  continuation  references,  the  operation
484       requires read (=r) access  on  the  pseudo-attribute  entry  (for  read
485       access  to  the referral object itself), as well as read (=r) access to
486       the attribute holding  the  referral  information  (generally  the  ref
487       attribute).
488
489
490       Some  internal  operations  and  some  controls require specific access
491       privileges.  The authzID mapping and  the  proxyAuthz  control  require
492       auth  (=x)  privileges  on  all  the attributes that are present in the
493       search filter of the URI regexp maps (the right-hand side of the authz-
494       regexp  directives).   Auth  (=x)  privileges  are also required on the
495       authzTo attribute of the authorizing identity and/or on  the  authzFrom
496       attribute of the authorized identity.
497
498
499       Access  control  to search entries is checked by the frontend, so it is
500       fully honored by all backends; for all other  operations  and  for  the
501       discovery  phase  of  the  search operation, full ACL semantics is only
502       supported by the primary backends, i.e.  back-bdb(5), and back-hdb(5).
503
504       Some other backend, like back-sql(5), may fully  support  them;  others
505       may  only  support a portion of the described semantics, or even differ
506       in some aspects.  The relevant details are described  in  the  backend-
507       specific man pages.
508
509

CAVEATS

511       It  is  strongly  recommended  to  explicitly  use the most appropriate
512       <dnstyle> in <what> and <who>  clauses,  to  avoid  possible  incorrect
513       specifications  of  the  access rules as well as for performance (avoid
514       unnecessary regex matching when an exact match suffices) reasons.
515
516       An administrator might create a rule of the form:
517
518            access to dn.regex="dc=example,dc=com"
519                 by ...
520
521       expecting it to match all entries in the  subtree  "dc=example,dc=com".
522       However,  this rule actually matches any DN which contains anywhere the
523       substring  "dc=example,dc=com".   That  is,  the  rule   matches   both
524       "uid=joe,dc=example,dc=com" and "dc=example,dc=com,uid=joe".
525
526       To match the desired subtree, the rule would be more precisely written:
527
528            access to dn.regex="^(.+,)?dc=example,dc=com$"
529                 by ...
530
531       For performance reasons, it would be better to use the subtree style.
532
533            access to dn.subtree="dc=example,dc=com"
534                 by ...
535
536       When  writing submatch rules, it may be convenient to avoid unnecessary
537       regex <dnstyle> use; for instance, to allow access to  the  subtree  of
538       the user that matches the <what> clause, one could use
539
540            access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$"
541                 by dn.regex="^uid=$2,dc=example,dc=com$$" write
542                 by ...
543
544       However,  since  all  that  is required in the <by> clause is substring
545       expansion, a more efficient solution is
546
547            access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$"
548                 by dn.exact,expand="uid=$2,dc=example,dc=com" write
549                 by ...
550
551       In fact, while a <dnstyle> of regex implies substring expansion, exact,
552       as  well as all the other DN specific <dnstyle> values, does not, so it
553       must be explicitly requested.
554

FILES

556       /etc/openldap/slapd.conf
557              default slapd configuration file
558

ACKNOWLEDGEMENTS

565       OpenLDAP  is  developed  and  maintained  by   The   OpenLDAP   Project
566       (http://www.openldap.org/).   OpenLDAP  is  derived  from University of
567       Michigan LDAP 3.3 Release.
568
569
570
571OpenLDAP 2.3.34                    2007/2/16                   SLAPD.ACCESS(5)