Re: Combined ACL with filter and without ?

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 02:28 AM 3/8/00 +0100, Albert Siersema wrote:
>One of those pesky ACL questions again :-)
>
>I'm trying to come up with an ACL in which I can
>restrict access to an attribute like this:
>- (authenticated) self must be able to write
>- only if an attribute called flags has at least a value
>   of 1 anonymous queries can be granted read permission
>
>In other words a kind of combination of the two ACLs below:
>
>access  to dn=".*,o=MyOrg,c=MyCountry" attr=mail
>         by self write
>         by * none
>access  to dn=".*,o=MyOrg,c=MyCountry" filter=(flags>=1) attr=entry
>         attrs=cn,mail.sn
>         by * read

Basics first:  order matters...  and attr= and attrs= should be combined...
and mail.sn should likely be mail,sn... and anonymous is dn="", not *.

So, per your policy description:

# start with sane defaults
defaultaccess none

# anonymous can read these attrs if flags >= 1
# and self write
access to dn=".*,o=MyOrg,c=MyCountry" filter="(flags>=1)" attrs=entry,cn,mail,sn
	by dn="" read
	by self write

# and self write
access to dn=".*,o=MyOrg,c=MyCountry" attrs=entry,cn,mail,sn
	by self write

Note that you want to grant self write in each lists, otherwise
the default access "none" will be granted.  Also note that you likely
actually want additional rules to cover remaining attributes and/or
additional who clauses to the above to cover other clients.

See the FAQ and/or archives of this list for further examples
and hints.
  http://www.openldap.org/faq/index.cgi?file=189

Kurt