Re: access given to parent entry

[Pierangelo Masarati <ando@sys-net.it>]

François Beretti wrote:

> Pierangelo Masarati wrote:
>
> > To make it short, "by self[n] write", recycling the "self" clause, or
> > "ancestor[n]", with "self" given by n=0 and "parent" given by n=1?
> >  
> Yeah, great, I will accept any of these solutions :-)
>
> In my company we develop software storing objects under user entries, 
> and this would be very, very useful !


OK, I have a working tentative solution of the type:

access to *
   by self write
   by self.level{1} read
   by self.level{-1} compare
   by dn.exact="cn=some,dc=org" search
   by dn.level{2} auth

Note that:
- self{1} means that access to "cn=some,dc=org" by 
"cn=one,cn=some,dc=org" matches, i.e. {n} levels are cut from the user;
- self{-1} means that access to "cn=some,dc=org" by "dc=org" matches, 
i.e. in case of {-n}, n levels are cut from the target;
- dn.level{n} means that match occurs at a given depth from the leftmost 
part of the user's DN; of course dn.level{1} == onelevel and dn.level{0} 
== base.

Your initial case of granting write permission to each entry by their 
immediate ancestor would be

access to *
   by self.level{-1} write

This seems to work fine also with back-config.

Please file an ITS so we can keep track of the feature, discuss the 
details, update slapd.access(5) and so on.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497