Using access control

Access control of information in the LDAP server is specified by setting up Access Control Lists (ACLs). LDBM, TDBM, CDBM, or GDBM ACLs provide a means to protect information that is stored in an LDAP directory. Administrators use ACLs to restrict access to different portions of the directory, or specific directory entries. When using the LDBM, TDBM, CDBM, or GDBM backend, ACLs are created and managed by using the ldap_add and ldap_modify APIs. ACLs can also be entered by using the ldif2ds utility (TDBM only).

ACLs are represented by a set of attributes that seem to be a part of the entry. The attributes that are associated with access control, such as entryOwner, ownerPropagate, aclEntry, and aclPropagate, are unusual in that they are logically associated with each entry, but can have values that depend upon other entries higher in the directory hierarchy. Depending upon how they are established, these attribute values can be explicit to an entry, or inherited from an ancestor entry.

Use of LDAPs SDBM backend allows a user to be authenticated to the directory namespace by using the RACF® ID and password. The RACF identity becomes associated with the user’s RACF-style distinguished name that was used on the LDAP bind operation. It is then possible to set up ACLs for entries that are managed by the LDBM, TDBM, CDBM, or GDBM backend by using RACF-style user and group DNs. This controls access to LDBM, TDBM, CDBM, or GDBM database directory entries by using the RACF user or group identities.

The LDAP server schema entry also has an ACL that can be set to control access to the schema entry.