OpenLDAP Faq-O-Matic: How do I grant access to a subset of attributes?

	OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Access Control : How do I grant access to a subset of attributes?
	You can grant access to a set of attributes by specifying a list of attribute names in the ACL "to" clause. To be useful, you also need to grant access to the "entry" itself. Also note how "children" controls the ability to add, delete, and rename entries.
	# mail: self may write, authenticated users may read access to attrs=mail by self write by users read by * none # cn, sn: self my write, all may read access to attrs=cn,sn by self write by * read # immediate children: only self can add/delete entries under this entry access to attrs=children by self write # entry itself: self may write, all may read access to attrs=entry by self write by * read # other attributes: self may write, others have no access access to * by self write by * none
	ObjectClass names may also be specified in this list, which will affect all the attributes that are required and/or allowed by that objectClass. Actually, names in attrlist that are prefixed by @ are directly treated as objectClass names. A name prefixed by ! is also treated as an objectClass, but in this case the access rule affects the attributes that are not required nor allowed by that objectClass.
	[Append to This Answer]

Previous:	How do I use groups to manage access control?
Next:	How do I allow a user write to all entries below theirs?

	[Search]	[Appearance]
This is a Faq-O-Matic 2.719.