As introduce in Chapter 2 & 3.
The LDAP`s ACL should be made.
<access directive> ::= access to <what> [by <who> [<access>] [<control>] ]+ <what> ::= * | [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] [filter=<ldapfilter>] [attrs=<attrlist>] <basic-style> ::= regex | exact <scope-style> ::= base | one | subtree | children <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist> <attr> ::= <attrname> | entry | children <who> ::= * | [anonymous | users | self | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] [dnattr=<attrname>] [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>] [peername[.<basic-style>]=<regex>] [sockname[.<basic-style>]=<regex>] [domain[.<basic-style>]=<regex>] [sockurl[.<basic-style>]=<regex>] [set=<setspec>] [aci=<attrname>] <access> ::= [self]{<level>|<priv>} <level> ::= none | disclose | auth | compare | search | read | write | manage <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+ <control> ::= [stop | continue | break]From: http://www.openldap.org/doc/admin24/access-control.html
Give a example.
access to *
by dn.base="cn=root,ou=SystemAdmin,dc=weiwejia,dc=org" manage //dn.base, bind the point one.
//Means only dn="cn=root,ou=SystemAdmin,dc=weiwejia,dc=org" have manage right
by dn.one="ou=SystemAdmin,dc=weiwejia,dc=org" write //dn.one means the top-child
by * auth