4.2 - Authorization

ApacheDS uses an adaptation of the X.500 basic access control scheme in combination with X.500 subentries to control access to entries and attributes within the DIT. This document will show you how to enable the basic access control mechanism and how to define access control information to manage access to protected resources.

Chapter content

Some Simple Examples

The ACIItem syntax is very expressive and that makes it extremely powerful for specifying complex access control policies. However the syntax is not very easy to grasp for beginners. For this reason we start with simple examples that focus on different protection mechanisms offered by the ACIItem syntax. We do this instead of specifying the grammar which is not the best way to learn a language.

Before you go any further... Please don't go any further until you have read up on the use of Subentries. Knowledge of subentries, subtreeSpecifications, administrative areas, and administrative roles are required to properly digest the following material.

Before going on to these trails you might want to set up an Administrative Area for managing access control via prescriptiveACI. Both subentryACI and prescriptiveACI require the presence of an Administrative Point entry. For more information and code examples see ACAreas.

ACI Trails

Here are some trails that resemble simple HOWTO guides. They’re ordered with the most pragmatic usage first. We will add to these trails over time.

Trail Description
DenySubentryAccess (TBW) Protecting access to subentries themselves.
Allow Self Password Modify Granting users the rights needed to change their own passwords.
GrantAddDelModToGroup (TBW) Granting add, delete, and modify permissions to a group of users.
GrantModToEntry (TBW) Applying ACI to a single entry.
Enable Authenticated Users to Browse and Read Entries