4.2 - Authorization¶
ApacheDS uses an adaptation of the X.500 basic access control scheme in combination with X.500 subentries to control access to entries and attributes within the DIT. This document will show you how to enable the basic access control mechanism and how to define access control information to manage access to protected resources.
- 4.2.1 - Introduction
- 4.2.2 - Definitions
- 4.2.3 - Enabling access control
- 4.2.4 - Aci Types
- 4.2.5 - Aci Elements
- 4.2.6 - The Acdf Engine
- 4.2.7 - Using Acis Trail
- 4.2.8 - Acis Administration
- 4.2.9 - Migration from other Ldap Servers
- 4.2.10 - Aci Grammar
- 4.2.11 - Links and References
Some Simple Examples¶
The ACIItem syntax is very expressive and that makes it extremely powerful for specifying complex access control policies. However the syntax is not very easy to grasp for beginners. For this reason we start with simple examples that focus on different protection mechanisms offered by the ACIItem syntax. We do this instead of specifying the grammar which is not the best way to learn a language.
Before going on to these trails you might want to set up an Administrative Area for managing access control via prescriptiveACI. Both subentryACI and prescriptiveACI require the presence of an Administrative Point entry. For more information and code examples see ACAreas.
Here are some trails that resemble simple HOWTO guides. They're ordered with the most pragmatic usage first. We will add to these trails over time.
|DenySubentryAccess (TBW)||Protecting access to subentries themselves.|
|Allow Self Password Modify](126.96.36.199-allow-self-password-modify.html)||Granting users the rights needed to change their own passwords.|
|GrantAddDelModToGroup (TBW)||Granting add, delete, and modify permissions to a group of users.|
|GrantModToEntry (TBW)||Applying ACI to a single entry.|
|Enable Authenticated Users to Browse and Read Entries](188.8.131.52-enable-authenticated-users-to-browse-and-read-entries.html)|