Re: Subordinate ACL question

[Luke Howard <lukeh@padl.com>]

>1) favouriteDrink is an attributeType; "@" is used to indicate the
>attributeType collection that's required/allowed for an objectClass, I
>assume that's what you meant, so the example is wrong and your intention
>is to apply the rule to an objectClass.

Correct, the example was wrong. Sorry about that! I'll use "pilotPerson"
below.

>2) use a trailing '$' in regex patterns.

Ah, again, I lose for making up a contrived example. The actual ACL
has a trailing '$'.

>3) in the first rule, you can expand "$0" instead (at least with HEAD code)

I'm using 2.2.18.

>> A corollary of my first question is whether these can be collapsed
>> to:
>>
>> access to dn.regex="^cn=([^,]+),cn=FOO"
>> attrs=children,entry,@pilotPerson
>> 	by dn.exact,expand="cn=$1,cn=BAR" write
>
>No.  In this case, the target is always "^cn=([^,]+),cn=FOO", so you
>aregiving children (correct), entry and @<objectClass> access
>(unnecessary) to the entries matching the pattern above, while you're not
>giving any access to their children, which is what you essentially need.

Ah, thanks. I think I understand that. Going back to the first example,
will:

	access to dn.children="cn=FOO" attrs=children,entry,@pilotPerson
		by dn.exact="CN=BAR" write

suffice to give CN=BAR authorization to create entries of object 
class pilotPersons under cn=FOO, or do I still need too separate
rules?

Sorry if I'm asking obvious questions :-)

cheers,

-- Luke

--