Re: ACL to allow an attribute to be cleared, but not changed to something else?

[Jonathan Clarke <jonathan@phillipoux.net>]

On 01/07/2010 17:48, Tim Gustafson wrote:
> > If you mean a normal user which application-wise is granted
> > higher privileges by ACLs, you need to make use of the granular
> > "a" (add) and "z" (zap) privileges (their union is "w", write).
>
> Pardon my thickness, but the documentation at http://www.openldap.org/doc/admin24/access-control.html specifically calls out the possible values of the "level" part of the ACL clause:
>
> <level>  ::= none | disclose | auth | compare | search | read | write | manage
>
> Is this an undocumented feature?  Should perhaps the documentation be updated, or maybe an example of this sort of ACL included in the examples section?

This syntax is not a "level" but a "priv". From the slapd.access(5) man 
page:
<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+

The online admin guide does seem to be out of date on this subject...

Thanks,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------