Access control lists

Access control lists (ACLs) provide a means to protect information stored in a LDAP directory. Administrators use ACLs to restrict access to different portions of the directory, or specific directory entries. Changes to each entry and attribute in the directory can be controlled by using ACLs. An ACL for a given entry or attribute can be inherited from its parent entry or can be explicitly defined.

It is best to design your access control strategy by creating groups of users that you will use when setting the access for objects and attributes. Set ownership and access at the highest level in the tree possible and let the controls inherit down the tree.

The operational attributes associated with access control, such as entryOwner, ownerSource, ownerPropagate, aclEntry, aclSource and aclPropagate are unusual in that they are logically associated with each object, but can have values that depend on other objects higher in the tree. Depending on how they are established, these attribute values can be explicit to an object or inherited from an ancestor.

The access control model defines two sets of attributes: the Access Control Information (ACI) and the entryOwner information. The ACI defines the access rights given to a specified subject with respect to the operations they can perform on the objects to which they apply. The aclEntry and aclPropagate attributes apply to the ACI definition. The entryOwner information defines which subjects can define the ACI for the associated entry object. The entryOwner and ownerPropagate attributes apply to the entryOwner definition.

There are two kinds of access control lists that you can choose from: filter-based ACLs and non-filtered ACLs. Non-filtered ACLs apply explicitly to the directory entry that contains them, but can be propagated to none, or all of its descendant entries. Filter-based ACLs differ in that they employ a filter-based comparison, using a specified object filter, to match target objects with the effective access that applies to them.

Using ACLs, administrators can restrict access to different portions of the directory, specific directory entries and, based on the attribute name or attribute access class, the attributes contained in the entries. Each entry within the LDAP directory has a set of associated ACI. In conformance with the LDAP model, the ACI and entryOwner information is represented as attribute-value pairs. Furthermore, the LDIF syntax is used to administer these values. The attributes are:

For information about how to work with ACLs, see Manage access control lists (ACLs). For additional information, see the following: