OpenLDAP supports two modes of defining access. The general form of the access specifier clause is: [self]{level|priv} The special modifier self implies special access to self-owned attributes such as the member attribute in a group. While the access level model implements incremental access (higher access includes lower access levels), the privilege model requires that an administrator explicitly define access for each permission using the =, +, and - operators to reset, add, and remove permissions, respectively (see Table E-3). Table E-3. Summary of access and privilege levels from most (top) to least (bottom) Access level | Privilege | Permission granted | write | w | Access to update attribute values (e.g., change this telephoneNumber to 555-2345). | read | r | Access to read search results (e.g., Show me all the entries with a telephoneNumber of 555*). | search | s | Access to apply search filters (e.g., Are there any entries with a telephoneNumber of 555*?). | compare | c | Access to compare attributes (e.g., Is your telephoneNumber 555-1234?). | auth | x | Access to bind (authenticate). This requires that the client send a username in the form of a DN and some type of credentials to prove his or her identity. | none | | No access. | Control flow from one access rule to the next can be managed by the keywords stop, continue, and break (see Table E-4). Table E-4. Control flow keywords in access rules Keyword | Meaning | break | Allows other access clauses to be processed | continue | Allows additional "who" clauses within the current access rule to be processed | stop | Stops access check upon a match (default) | |