Re: help about aci]

[Mark Valence <kurash@sassafras.com>]

The aci syntax OpenLDAP currently uses is not like that described in 
the latest IETF draft, although it started out that way.  Here is a 
basic example of what is currently implemented:

1.2.3.4#entry#grant;r,w;theAttr#access-id#cn=phoenix,ou=admin,o=sonera,c=fi

Check out servers/slapd/acl.c (search for "oid#") for a more generic 
template.  The attribute type that has been defined for this is 
OpenLDAPaci, so your ldif file should have:

    dn: cn=+358408308432,ou=pcm,o=sonera,c=fi
    add: OpenLDAPaci
    OpenLDAPaci: 1.2.3.4#entry#...

Hope that helps,

Mark.

> I would like to use aci access control method. I know is experimental
> and undocumented yet.
> I use OpenLDAP 2.0.6 with aci feature enabled. Which type of attribe
> should I use? What ietf draft should I follow for the proper syntax?
>
> from slapd -d 65535:
> line 79 (access to *  by self write by aci=OpenLDAPaci write by
> dn.exact="cn=admin,ou=admin,o=sonera,c=fi" write by * read)
> Backend ACL: access to *
>          by self write (=wrscx)
>          by aci=OpenLDAPaci write (=wrscx)
>          by dn.base=CN=ADMIN,OU=ADMIN,O=SONERA,C=FI write (=wrscx)
>          by * read (=rscx)
>
> OpenLDAPaci is defined in core.schema
>
> I trid to use this way(ldif):
>
> dn: cn=+358408308432,ou=pcm,o=sonera,c=fi
> add: OpenLDAPaci
> aci:
> 1.2.3.4#enrty#grant:#rw#[all]#access-id#cn=phoenix,ou=admin,o=sonera,c=fi
>
> ldap_add: Undefined attribute type
>          additional info: attribute type undefined
>
> Do you the solution of this problem?
>
> regards: Szelei Gabor