Access control instructions are defined in the data, as values for
aci attributes. They can be imported in LDIF. They can
be modified over LDAP. Yet in order to make changes to ACIs users first
need the modify-acl privilege described previously.
By default, only the root DN user has the modify-acl
privilege.
Global ACIs on cn=Access Control Handler,cn=config
can be set using the dsconfig command. Global ACIs have
attribute type ds-cfg-global-aci. Modify global ACIs from
the Access Control Handler menu in dsconfig.
Default global ACIs set up the following access rules.
-
Users can employ LDAP controls and perform extended operations.
-
Anonymous read access is allowed for most user data attributes.
-
Users can read password values on their own entries after binding. (Also by default, password values are hashed.)
-
Anonymous read access is allowed for schema-related operational attributes.
-
Anonymous read access is allowed for root DSE attributes describing what the server supports.
-
Anonymous read access is allowed for operational attributes related to entry updates and entry identification.
-
Access to replication data is denied.
Users with write access to add ACIs and with the
modify-acl privilege can use the
ldapmodify command to change ACIs located in user
data.
This section therefore focuses on ACI examples, rather than demonstrating how to update the directory for each example. To update ACIs, either change them using the ldapmodify command, or using OpenDJ Control Panel.
If you use OpenDJ Control Panel, find the entry to modify in the Manage Entries window. Then try View > LDIF View to edit the entry. Control Panel checks your syntax and lets you know if you made an error before it saves any changes.
For hints on updating directory entries with
ldapmodify, see the section on Modifying Entry
Attributes, keeping in mind that the name of the ACI
attribute is aci as shown in the examples that
follow.
Example 5.1. ACI: Anonymous Reads & Searches
This works when the only attributes you do not want world-readable are password attributes.
aci: (target ="ldap:///dc=example,dc=com")(targetattr != "authPassword || userPassword")(version 3.0;acl "Anonymous read-search access"; allow (read, search, compare)(userdn = "ldap:///anyone");)
Example 5.2. ACI: Disable Anonymous Access
By default OpenDJ denies access unless an access control explicitly allows access.[3] However, OpenDJ also allows anonymous access by default to use some controls, to perform certain extended operations, to view root DSE operational attributes, to view directory schema definitions, to view some other operational attibutes, and to perform compare and search operations.
These default capabilities are defined on the
global-aci property of the access control handler, which
you can read by using the
dsconfig get-access-control-handler-prop command.
$ dsconfig get-access-control-handler-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --property global-aci
To disable anonymous read access for example, use the dsconfig set-access-control-handler-prop command.
First, remove the global-aci attribute value that
allows anonymous read access. Do not wrap the lines in the following
example if you use it as the basis for your script.
$ dsconfig \ set-access-control-handler-prop \ --remove=global-aci:'(targetattr!="userPassword||authPassword||changes|| changeNumber||changeType||changeTime||targetDN||newRDN|| newSuperior||deleteOldRDN||targetEntryUUID||changeInitiatorsName|| changeLogCookie||includedAttributes")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)' \ --hostname=opendj.example.com \ --port=4444 \ --bindDN=cn=Directory\ Manager \ --bindPassword=password \ --trustAll \ --no-prompt
![[Note]](common/images/admon/note.png) |
Note |
|---|---|
The above command sequence utilizes single quote encapsulation
of the "global-aci" value. This is simply to avoid
the need for extensive character escapes. If the quotes are removed,
the user will need to manually escape certain characters, such as pipe
(|) or exclamation points (!) to
avoid shell errors.
|
If the global-aci does not match the ACI exactly
then the command fails to remove the value. An alternative approach is to
use the dsconfig command interactively, adding the
--commandFilePath option. You can then use the command
you capture to remove the property value on other servers for example.
To use the dsconfig command this way, start the
command as follows.
$ dsconfig --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --commandFilePath /tmp/captured-command.sh
Next, add a global ACI value that allows authenticated users to
perform read operations. You can use dsconfig
interactively to add the ACI value as shown below
(targetattr!= … userdn="ldap:///all";).
global-aci: (targetattr!="userPassword|| authPassword||changes||changeNumber||changeType||changeTime||targetDN||newRDN|| newSuperior||deleteOldRDN||targetEntryUUID||changeInitiatorsName|| changeLogCookie||includedAttributes")(version 3.0; acl "Authenticated users read access"; allow (read,search,compare) userdn="ldap:///all";)
Notice that these changes are made to the OpenDJ directory server configuration, and so are not replicated to other servers. You must instead apply the changes separately to each server.
Example 5.3. ACI: Full Access for Administrators
Directory Administrators need privileges as well for full access to administrative operations.
aci: (target="ldap:///dc=example,dc=com") (targetattr = "* || +")(version 3.0;acl "Admins can run amok"; allow( all, proxy, import, export) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
Notice both targetattr = "* || +", which permits
access to both all user attributes and all operational attributes, and
allow(all, proxy, import, export), which permits not
only all user operations, but also proxy authorization as well as data
import and export operations.
Example 5.4. ACI: Change Own Password
By default this capability is set in a global ACI.
aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr = "authPassword || userPassword")(version 3.0;acl "Allow users to change pass words"; allow (write)(userdn = "ldap:///self");)
Example 5.5. ACI: Manage Own Group Membership
For some static groups such as carpoolers and social club members, you might choose to let users manage their own memberships.
aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")( targetattr = "member")(version 3.0;acl "Self registration"; allow(selfwrite)( userdn = "ldap:///uid=*,ou=People,dc=example,dc=com");)
Example 5.6. ACI: Manage Self Service Groups
Let users create and delete self-managed groups.
aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")( targattrfilters="add=objectClass:(objectClass=groupOfNames)")(version 3.0; acl "All can create self service groups"; allow (add)(userdn= " ldap:///uid=*,ou=People,dc=example,dc=com");) aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(version 3 .0; acl "Owner can delete self service groups"; allow (delete)(userattr= " owner#USERDN");)
Example 5.7. ACI: Permit Clear Text Access Over Loopback Only
This ACI uses IP address and Security Strength Factor subjects.
aci: (target = "ldap:///dc=example,dc=com")(targetattr = "*")(version 3.0;acl "Use loopback only for LDAP in the clear"; deny (all)( ip != "127.0.0.1" and ssf <= "1");)
The ssf is one for example when using SSL but you
have not configured a cipher, so the packets are checksummed for integrity
checking by all content is nevertheless sent in clear text.
[3] This does not apply to the directory root
user, such as cn=Directory Manager, who bypasses
ACIs.
