OpenDJ directory server access control instructions (ACIs) exist as
operational aci attribute values on directory entries, and
as global ACIs stored in the configuration. ACIs apply to a scope defined in
the instruction, and set permissions that depend on what operation is
requested, who requested the operation, and how the client connected to the
server.
For example, the ACIs on the following entry allow anonymous read
access to all attributes except passwords, and allow read-write access
for directory administrators under dc=example,dc=com.
dn: dc=example,dc=com objectClass: domain objectClass: top dc: example aci: (target ="ldap:///dc=example,dc=com")(targetattr != "userPassword")(version 3.0;acl "Anonymous read-search access"; allow (read, search, compare)(userdn = "ldap:///anyone");) aci: (target="ldap:///dc=example,dc=com") (targetattr = "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
OpenDJ directory server's default behavior is that no access is allowed
unless it is specifically granted by an access control instruction. In
addition privileges assigned to certain users such as cn=Directory
Manager allow them to bypass access control checks.
OpenDJ directory server provides several global ACIs out of the box to facilitate evaluation while maintaining a reasonable security policy. By default users are allow to read the root DSE, to read the schema, to use certain controls and extended operations, to modify their own entries, to bind, and so forth. Global ACIs are defined on the access control handler, and apply to the entire directory server. You must adjust the default global ACIs to match the security policies for your organization, for example to restrict anonymous access.
ACI attribute values use a specific language described in this section. Although ACI attribute values can become difficult to read in LDIF, the basic syntax is simple.
targets(version 3.0;acl "name";permissionssubjects;)
The following list briefly explains the variables in the syntax above.
targets-
The
targetsspecifies entries, attributes, controls, and extended operations to which the ACI applies.To include multiple
targets, enclose each individual target in parentheses, (). When you specify multiple targets, all targets must match for the ACI to apply (AND). name-
Supplies a human-readable description of what the ACI does.
permissions-
Defines which actions to allow, and which to deny. Paired with
subjects. subjects-
Identify clients to which the ACI applies depending on who connected, and when, where, and how they connected. Paired with
permissions.
Separate multiple pairs of permissions
subjects definitions with semicolons, ;. When you
specify multiple permissions-subjects pairs, at least one must match
(OR).
