Access control attributes
Access to LDAP directory entries and attributes is defined by Access
Control Lists (ACLs). Each entry in the directory contains a special
set of attributes that describe who is allowed to access information
within that entry. Table 1 shows the
set of attributes that are related to access control. More in-depth
information about each attribute is given following the table.
It is possible to specify access control settings for individual attribute types. This is called attribute-level access control. Also, it is possible to explicitly deny access to information.
| ACL attributes | |
|---|---|
| aclEntry | This is a multi-valued attribute that contains the user or group distinguished names or search filters and permissions associated with those users or groups that have access to information in the directory entry (or the entry along with the subtree of information below the entry, depending on the setting of the aclPropagate attribute). |
| aclPropagate | This is a single-valued boolean attribute that indicates whether the
aclEntry information applies only to the directory entry it is associated
with or to the entire subtree of information including and below the directory entry it is
associated with. Note that propagation does not apply to entries that have an explicit
aclEntry defined for the entry and that propagation stops at the next propagating ACL
(aclPropagate=TRUE) that is encountered in the directory subtree. |
| aclSource | This is a single-valued attribute that is managed by the LDAP server and cannot be changed by the ldapmodify utility. This attribute, accessible for any directory entry, indicates the distinguished name of the entry that holds the ACL that applies to the entry. This attribute is useful in determining which propagating ACL is used to control access to information in the directory entry. |
| Entry owner attributes | |
| entryOwner | This is a multi-valued attribute that contains the user or group distinguished names or search filters that are evaluated that are considered owners of the directory entry (or the entry along with the subtree of information below the entry, depending on the setting of the ownerPropagate attribute). |
| ownerPropagate | This is a single-valued boolean attribute that indicates whether the
entryOwner information applies only to the directory entry it is associated
with or to the entire subtree of information including and below the directory entry it is
associated with. Note that propagation does not apply to entries that have an explicit
entryOwner defined for the entry and that propagation stops at the next propagating
entryOwner (ownerPropagate=TRUE) that is encountered in the directory
subtree. |
| ownerSource | This is a single-valued attribute that is managed by the LDAP server and cannot be changed by the ldapmodify utility. This attribute indicates the distinguished name of the entry that holds the entryOwner that applies to the entry. This attribute is useful in determining which propagating entryOwner is used to control access to information in the directory entry. |