Re: Adding a new entry vs. adding a new attribute

["Kurt D. Zeilenga" <kurt@boolean.net>]

At 06:02 PM 12/9/99 -0500, Joe Sabu wrote:
>I thought by specifying "attrs=children", you get complete access to the
>subtree under the specified DN.

No.  Write access to the entry's parent is required to
add, delete, or modrdn the entry.

>Apparently, I can only add new, but not
>modify existing.

You permission to write to the entry (and the particular attributes
of the entry) to add, modify, delete attributes of an entry.

>2)
>
>Will somebody also explain how to use "dnattr" and "attr=entry".

attr=entry is used to grant privledges acting upon the entry
itself.  Example:
	access to attr=entry
		by self write
		by dn=".+" read
		by * none

grants users write over their own entry, authenticated users
read access over all entries, and others (anonymous) no access.
Note: you still need to grant access to particular attributes.

dnattr is used to specify who is granted privledges based upon
the value of the attribute specified by dnattr.

For example:
	access to *
		by self write
		by dnaddr=owner write
		by dnaddr=member read
		by * none

grants users write over their own entry and attributes, owners
(as listed in the owner attribute) write access, members read,
and others none.

dnattr is often used to create self managed lists:
	access to attr=member,entry
     		by dnattr=member selfwrite

You may want to review:
  http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/5.html#RTFToC20

Note that the examples are not properly formatted (no leading
spaces on continuation lines) and regex won't properly match
normalized DNs, but the descriptions of how things basically
work is okay.

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>