Access to slapd entries and attributes is controlled by the olcAccess attribute, whose values are a sequence of access directives. The general form of the olcAccess configuration is:

        olcAccess: 
         ::= to 
                [by  [] [] ]+
         ::= * |
                [dn[.]= | dn.=]
                [filter=] [attrs=]
         ::= regex | exact
         ::= base | one | subtree | children
         ::=  [val[.]=] |  , 
         ::=  | entry | children
         ::= * | [anonymous | users | self
                        | dn[.]= | dn.=]
                [dnattr=]
                [group[/[/][.]]=]
                [peername[.]=]
                [sockname[.]=]
                [domain[.]=]
                [sockurl[.]=]
                [set=]
                [aci=]
         ::= [self]{|}
         ::= none | disclose | auth | compare | search | read | write | manage
         ::= {=|+|-}{m|w|r|s|c|x|d|0}+
         ::= [stop | continue | break]

where the part selects the entries and/or attributes to which the access applies, the part specifies which entities are granted access, and the part specifies the access granted. Multiple triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes. Not all of these access control options are described here; for more details see the slapd.access(5) man page.

The part of an access specification determines the entries and attributes to which the access control applies. Entries are commonly selected in two ways: by DN and by filter. The following qualifiers select entries by DN:

        to *
        to dn[.]=
        to dn.=

The first form is used to select all entries. The second form may be used to select entries by matching a regular expression against the target entry's normalized DN. (The second form is not discussed further in this document.) The third form is used to select entries which are within the requested scope of DN. The is a string representation of the Distinguished Name, as described in .

The scope can be either base, one, subtree, or children. Where base matches only the entry with provided DN, one matches the entries whose parent is the provided DN, subtree matches all entries in the subtree whose root is the provided DN, and children matches all entries under the DN (but not the entry named by the DN).

For example, if the directory contained entries named:

        0: o=suffix
        1: cn=Manager,o=suffix
        2: ou=people,o=suffix
        3: uid=kdz,ou=people,o=suffix
        4: cn=addresses,uid=kdz,ou=people,o=suffix
        5: uid=hyc,ou=people,o=suffix

Then:

dn.base="ou=people,o=suffix" match 2;
dn.one="ou=people,o=suffix" match 3, and 5;
dn.subtree="ou=people,o=suffix" match 2, 3, 4, and 5; and
dn.children="ou=people,o=suffix" match 3, 4, and 5.

Entries may also be selected using a filter:

        to filter=

where is a string representation of an LDAP search filter, as described in . For example:

        to filter=(objectClass=person)

Note that entries may be selected by both DN and filter by including both qualifiers in the clause.

        to dn.one="ou=people,o=suffix" filter=(objectClass=person)

Attributes within an entry are selected by including a comma-separated list of attribute names in the selector:

        attrs=

A specific value of an attribute is selected by using a single attribute name and also using a value selector:

        attrs= val[.