Re: ACL: protect entry but not children

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 02:12 PM 2002-09-08, Ace Suares wrote:
>- What is the difference between
>1) access to dn=".*,dc=example,dc=com"

This ACL targets all attributes of all entries under
dc=example,dc=com (but not dc=example,dc=com itself).  Those
subjects granted write may modify the target entries, those
subjects granted the target entries, ....

Since this ACL targets all attributes, those subjects
granted write may also add entries under these target
entries as described in 2).

>2) access to dn="dc=example,dc=com" attrs=children

This ACL targets the children psuedo-attribute of dc=example,dc=com.

Subjects which are granted "write" may add, rename, or delete
entries whose parent is this dc=example,dc=com.

>3) access to dn.children="dc=example,dc=com"

Equivelent to 1).

>4) access to dn.subtree="dc=example,dc=com"

This ACL targets all attributes of dc=example,dc=com as
well as all attributes of all entries under dc=example,dc=com.

>5) access to dn="dc=example,dc=com"

This targets all attributes of entry "dc=example,dc=com".

>- does the following make any sense:
>
>6) access to dn.children="dc=example,dc=com" attrs=children

This ACL targets the children psuedo-attribute of all
entries under dc=example,dc=com (but not dc=example,dc=com
itself).

>and if, what does it do ?

For those subjects with "write" permission, the ACL would
allow those subjects to add entries under any of the
target entries.