OpenLDAP provides a super powerful ACL syntax which allows you to control access to every nook and cranny of your directory server. When I’m testing advanced ACL configurations I have found it incredibly useful to add the “ACL” log option to the loglevel directive:
loglevel ACL
When this option is set slapd will show you how it applies the ACLs to a given LDAP operation:
Dec 4 09:01:00 rocco slapd[6026]: => acl_mask: access to entry "ou=users,dc=prefetch,dc=net", attr "entry" requested
Dec 4 09:01:00 rocco slapd[6026]: => acl_mask: to all values by "", (=0)
Dec 4 09:01:00 rocco slapd[6026]: <= check a_dn_pat: users
Dec 4 09:01:00 rocco slapd[6026]: <= check a_peername_path: 1.2.3.4
Dec 4 09:01:00 rocco slapd[6026]: <= acl_mask: [2] applying read(=rscxd) (stop)
Dec 4 09:01:00 rocco slapd[6026]: <= acl_mask: [2] mask: read(=rscxd)
Dec 4 09:01:00 rocco slapd[6026]: => slap_access_allowed: search access granted by read(=rscxd)
Dec 4 09:01:00 rocco slapd[6026]: => access_allowed: search access granted by read(=rscxd)
Dec 4 09:01:00 rocco slapd[6026]: => access_allowed: search access to "cn=matty,ou=users,dc=prefetch,dc=net" "uid" requested
This is super handy and will save you tons of time and heartburn when crafting complex ACLs.