AclEntry and ibm-filterAclEntry

Subject

A subject (the entity requesting access to operate on an object) consists of the combination of a DN (Distinguished Name) type and a DN. The valid DN types are: access-id, Group and Role.

The DN identifies a particular access-id, role or group. For example, a subject might be access-id: cn=personA, o=IBM or group: cn=deptXYZ, o=IBM.

Because the field delimiter is the colon ( : ), a DN containing colons must be surrounded by double-quotation marks ( "" ). If a DN already contains characters with double-quotation marks, these characters must be escaped with a backslash (\).

All directory groups can be used in access control.

Note:
Any group of AccessGroup, GroupOfNames, GroupofUniqueNames, or groupOfURLs structural objectclasses or the ibm-dynamicGroup, ibm-staticGroup auxiliary objectclasses can be used for access control.

Another DN type used within the access control model is role. While roles and groups are similar in implementation, conceptually they are different. When a user is assigned to a role, there is an implicit expectation that the necessary authority has already been set up to perform the job associated with that role. With group membership, there is no built in assumption about what permissions are gained (or denied) by being a member of that group.

Roles are similar to groups in that they are represented in the directory by an object. Additionally, roles contain a group of DNs. Roles that are used in access control must have an objectclass of AccessRole.

Pseudo DN

The LDAP directory contains several pseudo DNs. These are used to refer to large numbers of DNs which at bind time share a common characteristic, in relation to either the operation being performed, or the target object on which the operation is being performed.

Currently, three pseudo DNs are defined:

group:cn=anybody
Refers to all subjects, including those that are unauthenticated. All users belong to this group automatically.
group:cn=authenticated
Refers to any DN which has been authenticated to the directory. The method of authentication is not considered.
access-id:cn=this
Refers to the bind Dn which matches the target object's DN on which the operation is performed.
Object filter

This parameter applies to filtered ACLs only. The string search filter as defined in RFC 2254, is used as the object filter format. Because the target object is already known, the string is not used to perform an actual search. Instead, a filter-based compare on the target object in question is performed to determine if a given set of ibm-filterAclEntry values apply to it.

Rights

Access rights can apply to an entire object or to attributes of the object. The LDAP access rights are discrete. One right does not imply another right. The rights can be combined together to provide the desired rights list following a set of rules discussed later. Rights can be of an unspecified value, which indicates that no access rights are granted to the subject on the target object. The rights consist of three parts:

Action:
Defined values are grant or deny. If this field is not present, the default is set to grant.
Permission:
There are six basic operations that can be performed on a directory object. From these operations, the base set of ACI permissions are taken. These are: add an entry, delete an entry, read an attribute value, write an attribute value, search for an attribute, and compare an attribute value.

The possible attribute permissions are: read ( r ), write ( w ), search ( s ), and compare ( c ). Additionally, object permissions apply to the entry as a whole. These permissions are add child entries ( a ) and delete this entry ( d ).

The following table summarizes the permissions needed to perform each of the LDAP operations.

Operation Permission Needed
ldapadd add (on parent)
ldapdelete delete (on object)
ldapmodify write (on attributes being modified)
ldapsearch
  • search, read (on attributes in RDN)
  • search (on attributes specified in the search filter)
  • search (on attributes returned with just names)
  • search, read (on attributes returned with values)
ldapmodrdn write (on RDN attributes)
ldapcompare compare (on compared attribute)
Note:
For search operations, the subject is required to have search access to all the attributes in the search filter or no entries are returned. For returned entries from a search, the subject is required to have search and read access to all the attributes in the RDN of the returned entries or these entries are not returned.
Access Target:
These permissions can be applied to the entire object (add child entry, delete entry), to an individual attribute within the entry, or can be applied to groups of attributes (Attribute Access Classes) as described in the following.

Attributes requiring similar permissions for access are grouped together in classes. Attributes are mapped to their attribute classes in the directory schema file. These classes are discrete; access to one class does not imply access to another class. Permissions are set with regard to the attribute access class as a whole. The permissions set on a particular attribute class apply to all attributes within that access class unless the individual attribute access permissions are specified.

IBM defines three attribute classes that are used in evaluation of access to user attributes: normal, sensitive, and critical. For example, attribute commonName falls into the normal class, and attribute userpassword belongs to the critical class. User defined attributes belong to the normal access class unless otherwise specified.

Two other access classes are also defined: system and restricted. The system class attributes are:

These are attributes maintained by the LDAP server and are read-only to the directory users. OwnerSource and aclSource are described in the Propagation section (seePropagation).

The restricted class of attributes that define the access control are:

All users have read access to the restricted attributes but only entryOwners can create, change, and delete these attributes.

Note:
The attribute, ibm-effectiveAcl, is read-only.