For example, if the directory contained entries named:
0: o=suffix
1: cn=Manager,o=suffix
2: ou=people,o=suffix
3: uid=kdz,ou=people,o=suffix
4: cn=addresses,uid=kdz,ou=people,o=suffix
5: uid=hyc,ou=people,o=suffix
Then:
dn.base="ou=people,o=suffix" match 2;
dn.one="ou=people,o=suffix" match 3, and 5;
dn.subtree="ou=people,o=suffix" match 2, 3, 4, and 5; and
dn.children="ou=people,o=suffix" match 3, 4, and 5.
Entries may also be selected using a filter:
to filter=
where
to filter=(objectClass=person)
Note that entries may be selected by both DN and filter by including both qualifiers in the
to dn.one="ou=people,o=suffix" filter=(objectClass=person)
7.2.2. Who to grant access to
The
| Table 6.3: Access Entity Specifiers | |
| Specifier | Entities |
| * | All, including anonymous and authenticated users |
| anonymous | Anonymous (non-authenticated) users |
| users | Authenticated users |
| self | User associated with target entry |
| dn[. | Users matching a regular expression |
| dn. | Users within scope of a DN |
The DN specifier behaves much like
7.2.3. The access to grant
The kind of
| Table 6.4: Access Levels | ||
| Level | Privileges | Description |
| none = | 0 | no access |
| disclose = | d | needed for information disclosure on error |
| auth = | dx | needed to authenticate (bind) |
| compare = | cdx | needed to compare |
| search = | scdx | needed to apply search filters |
| read = | rscdx | needed to read search results |
| write = | wrscdx | needed to modify/rename |
| manage = | mwrscdx | needed to manage |
Each level implies all lower levels of access. So, for example, granting someone write access to an entry also grants them read, search, compare, auth and disclose access. However, one may use the privileges specifier to grant specific permissions.
ไม่มีความคิดเห็น:
แสดงความคิดเห็น