README.gssacl
1This directory contains native slapd plugins that implement access rules.
2
3gssacl.c contains a simple example that implements access control
4based on GSS naming extensions attributes.
5
6To use the acl-gssacl plugin, add:
7
8moduleload acl-gssacl.so
9
10to your slapd configuration file.
11It is configured using
12
13access to <what>
14 by dynacl/gss/<attribute>.[.{base,regex,expand}]=<valpat> {<level>|<priv(s)>}
15
16The default is "exact"; in case of "expand", "<valpat>" results from
17the expansion of submatches in the "<what>" portion. "<level>|<priv(s)>"
18describe the level of privilege this rule can assume.
19
20Use Makefile to compile this plugin or use a command line similar to:
21
22gcc -shared -I../../../include -I../../../servers/slapd -Wall -g \
23 -o acl-gssacl.so gssacl.c
24
25
26---
27Copyright 2011 PADL Software Pty Ltd. All rights reserved.
28
29Redistribution and use in source and binary forms, with or without
30modification, are permitted only as authorized by the OpenLDAP
31Public License.
32
33
README.now
1# create a simple slapd.conf (e.g. by running test003)
2
3
4
5# define the attributes (replace MyOID with a valid OID)
6
7attributetype ( MyOID:1 NAME 'validityStarts'
8 EQUALITY generalizedTimeMatch
9 ORDERING generalizedTimeOrderingMatch
10 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
11attributetype ( MyOID:2 NAME 'validityEnds'
12 EQUALITY generalizedTimeMatch
13 ORDERING generalizedTimeOrderingMatch
14 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
15
16
17
18# load the module
19
20moduleload "now_dynacl.so"
21
22
23
24# and apply the following access rules
25
26access to dn.exact="dc=example,dc=com"
27 by * read
28
29access to dn.children="dc=example,dc=com"
30 by dynacl/now=">=validityStarts" read break
31
32access to dn.children="dc=example,dc=com"
33 by dynacl/now="<=validityEnds" read
34
35
36
37# Then load the LDIF
38
39dn: cn=Too Late,dc=example,dc=com
40objectClass: device
41objectClass: extensibleObject
42cn: Too Late
43validityStarts: 20000101000000Z
44validityEnds: 20100101000000Z
45
46dn: cn=Just in Time,dc=example,dc=com
47objectClass: device
48objectClass: extensibleObject
49cn: Just in Time
50validityStarts: 20100101000000Z
51validityEnds: 20200101000000Z
52
53dn: cn=Too Early,dc=example,dc=com
54objectClass: device
55objectClass: extensibleObject
56cn: Too Early
57validityStarts: 20200101000000Z
58validityEnds: 20300101000000Z
59
60
61# an anonymous ldapsearch should only find the entry
62
63$ ldapsearch -x -H ldap://:9011 -b dc=example,dc=com -LLL 1.1
64dn: cn=Just in Time,dc=example,dc=com
65
66
README.posixgroup
1This directory contains native slapd plugins that implement access rules.
2
3posixgroup.c contains a simple example that implements access control
4based on posixGroup membership, loosely inspired by ITS#3849. It should
5be made clear that this access control policy does not reflect any
6standard track model of handling access control, and should be
7essentially viewed as an illustration of the use of the dynamic
8extension of access control within slapd.
9
10To use the acl-posixgroup plugin, add:
11
12moduleload acl-posixgroup.so
13
14to your slapd configuration file; it requires "nis.schema" to be loaded.
15It is configured using
16
17access to <what>
18 by dynacl/posixGroup[.{exact,expand}]=<dnpat> {<level>|<priv(s)}
19
20The default is "exact"; in case of "expand", "<dnpat>" results from
21the expansion of submatches in the "<what>" portion. "<level>|<priv(s)>"
22describe the level of privilege this rule can assume.
23
24Use Makefile to compile this plugin or use a command line similar to:
25
26gcc -shared -I../../../include -I../../../servers/slapd -Wall -g \
27 -o acl-posixgroup.so posixgroup.c
28
29---
30Copyright 2005-2021 The OpenLDAP Foundation. All rights reserved.
31
32Redistribution and use in source and binary forms, with or without
33modification, are permitted only as authorized by the OpenLDAP
34Public License.
35
36