OK, I have a working tentative solution of the type:
access to *
by self write
by self.level{1} read
by self.level{-1} compare
by dn.exact="cn=some,dc=org" search
by dn.level{2} auth
Note that:
- self{1} means that access to "cn=some,dc=org" by
"cn=one,cn=some,dc=org" matches, i.e. {n} levels are cut from the user;
- self{-1} means that access to "cn=some,dc=org" by "dc=org" matches,
i.e. in case of {-n}, n levels are cut from the target;
- dn.level{n} means that match occurs at a given depth from the
leftmost part of the user's DN; of course dn.level{1} == onelevel and
dn.level{0} == base.
Your initial case of granting write permission to each entry by their
immediate ancestor would be
access to *
by self.level{-1} write
This seems to work fine also with back-config.
Please file an ITS so we can keep track of the feature, discuss the
details, update slapd.access(5) and so on.