LDAPI and Access Control


Access control should be LDAPI aware, and have the ability to accept or reject operations that come through an LDAPI connection.

Use Cases

Situations where one might want to protect sensitive data, and only allow connections that come from the server machine over LDAPI.


LDAPI support was added by extending the “authmethod” keyword. “authmethod” is used to control access by the connection protocol(Simple, SSL, SASL, etc). Now you can specify “ldapi” as an authentication method.

(targetattr = "*") (version 3.0;acl "LDAPI ACI";allow (all)
(userdn = "ldap:///anyone" and authmethod = "ldapi" );)

Since LDAPI connections do not have an IP address/hostname, be very careful when adding “ip” and “dns” rules. If you choose to “and” an “ip” rule with authmethod(LDAPI), the ACI will always reject access, so use an “or” in this case.

(targetattr = "*") (version 3.0;acl "LDAPI ACI";allow (all)
(userdn = "ldap:///anyone" and authmethod = "ldapi" or ip = "" );)


No additional requirements.

Feature Management


Right click on the suffix/branch you want to add the ACI to -> “Set access permissions”, then you have to “Edit visually” to set the authmethod.


Use ldapmodify to add the aci.

Major configuration options and enablement

No configuration options.


No impact.

Updates and Upgrades

No impact.


No dependencies.

External Impact

No impact.

RFE Author

Mark Reynolds mreynolds@redhat.com

Last modified on 7 August 2014