Page Operations
Browse Space
The ABNF syntax for LDAP ACIItem is as follows:
ACIItem = "{" sp aci_identificationTag
sep sp aci-precedence
sep sp aci-authenticationLevel
sep sp aci-itemOrUserFirst sp "}"
aci_identificationTag = id-identificationTag msp DirectoryString
aci-precedence = id-precedence msp Precedence
aci-authenticationLevel = id-authenticationLevel msp AuthenticationLevel
aci-itemOrUserFirst = id-itemOrUserFirst msp aci-itemOrUserFirst
aci-itemOrUserFirst = aci-itemFirst / aci-userFirst
aci-itemFirst = id-itemFirst ":" ItemFirst
aci-userFirst = id-userFirst ":" UserFirst
ItemFirst = "{" sp aci-protectedItems
sep sp aci-itemPermissions sp "}"
UserFirst = "{" sp aci-userClasses
sep sp aci-userPermissions sp "}"
aci-protectedItems = id-protectedItems msp ProtectedItems
aci-itemPermissions = id-itemPermissions msp ItemPermissions
aci-userClasses = id-userClasses msp UserClasses
aci-userPermissions = id-userPermissions msp UserPermissions
ProtectedItems = "{" [ sp aci-entry]
[ sep sp aci-allUserAttributeTypes ]
[ sep sp aci-attributeType ]
[ sep sp aci-allAttributeValues ]
[ sep sp aci-allUserAttributeTypesAndValues ]
[ sep sp aci-attributeValue ]
[ sep sp aci-selfValue ]
[ sep sp aci-rangeOfValues ]
[ sep sp aci-maxValueCount ]
[ sep sp aci-maxImmSub ]
[ sep sp aci-restrictedBy ]
[ sep sp aci-classes ] sp "}"
ItemPermissions = "{" [ sp ItemPermission
*( sep sp ItemPermission ) ] sp "}"
ItemPermission = "{" [ sp aci-precedence ]
sep sp aci-userClasses
sep sp aci-grantsAndDenials sp "}"
UserClasses = "{" [ sp aci-allUsers ]
[ sep sp aci-thisEntry ]
[ sep sp aci-Name ]
[ sep sp aci-userGroup ]
[ sep sp aci-subtree ] sp "}"
UserPermissions = "{" [ sp UserPermission
*( sep sp UserPermission ) ] sp "}"
UserPermission = "{" [ sp aci-precedence ]
sep sp aci-protectedItems
sep sp aci-grantsAndDenials sp "}"
aci-entry = id-entry
aci-allUserAttributeTypes = id-allUserAttributeTypes
aci-attributeType = id-attributeType msp AttributeTypes
aci-allAttributeValues = id-allAttributeValues msp AttributeTypes
aci-allUserAttributeTypesAndValues = id-allUserAttributeTypesAndValues
aci-attributeValue = id-attributeValue msp AttributeTypeAndValues
aci-selfValue = id-selfValue msp AttributeTypes
aci-rangeOfValues = id-rangeOfValues msp Filter
aci-maxValueCount = id-maxValueCount msp MaxValueCount
aci-maxImmSub = id-maxImmSub msp INTEGER
aci-restrictedBy = id-restrictedBy msp RestrictedBy
aci-classes = id-classes msp Refinement
aci-grantsAndDenials = id-grantsAndDenials msp GrantsAndDenials
aci-allUsers = id-allUsers
aci-thisEntry = id-thisEntry
aci-name = id-name msp DistinguishedNames
aci-userGroup = id-userGroup msp DistinguishedNames
aci-subtree = id-subtree msp SubtreeSpecifications
AttributeTypes = "{" sp AttributeType
*( sep sp AttributeType ) sp "}"
AttributeTypeAndValues = "{" sp AttributeTypeAndValue
*( sep sp AttributeTypeAndValue ) sp "}"
MaxValueCount = "{" sp AttributeType
sep sp INTEGER sp "}"
RestrictedBy = "{" sp RestrictedValue
*( sep sp RestrictedValue ) sp "}"
GrantsAndDenials = "{" [ sp GrantAndDenialsBit
*( sep sp GrantAndDenialsBit ) ] sp "}"
; WARNING: There SHALL NOT be any duplicates
DistinguishedNames = "{" sp DistinguishedName
*( sep sp DistinguishedName ) sp "}"
SubtreeSpecifications = "{" sp SubtreeSpecification
*( sep sp SubtreeSpecification ) sp "}"
RestrictedValue = "{" sp aci-type
sep sp aci-valuesIn "}"
aci-type = id-type msp AttributeType
aci-valuesIn = id-valuesIn msp AttributeType
Precedence = INTEGER(1..255) ; FIXME: How shall we show this ?
AuthenticationLevel = id-none / id-simple / id-strong
GrantAndDenialsBit = id-grantAdd
/ id-denyAdd
/ id-grantDiscloseOnError
/ id-denyDiscloseOnError
/ id-grantRead
/ id-denyRead
/ id-grantRemove
/ id-denyRemove
/ id-grantBrowse
/ id-denyBrowse
/ id-grantExport
/ id-denyExport
/ id-grantImport
/ id-denyImport
/ id-grantModify
/ id-denyModify
/ id-grantRename
/ id-denyRename
/ id-grantReturnDN
/ id-denyReturnDN
/ id-grantCompare
/ id-denyCompare
/ id-grantFilterMatch
/ id-denyFilterMatch
/ id-grantInvoke
/ id-denyInvoke
;MYRULE
;id-X = "X"
 | The Apache Directory Server way... Apache Directory Server allows a fully flexible version of this grammar where order of named components and amount of spaces (where applicable) do not matter. |
Can you give a handful of example ACIItems for common situations so users can better infer how this syntax comes together. We're probably going to have to write up some kind of user guide chapter for this though.