[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL control with break

On 27/5/2012 10:25 ÎÎ, Nick Milas wrote:

For example, you could set up an ACL with a filter clause and
answer your own question about whether that affects the attrs matched.

OK, I'll do it.

I owe an answer on this; I have done the required research and found that if we use an ACL of the form:

access to <dn>.<scope> filter=<some filter>

(i.e. without "attrs=" clause), then it DOES include entry, children pseudo-attributes, for all matching entries (according to filter).

For example, we could use a statement like (devised to illustrate the case):

acces to dn.subtree="ou=TestBranch,dc=example,dc=com" filter="(|(objectClass=organizationalUnit)(someattr=*))"
  by dn.exact="uid=usr,ou=people,dc=example,dc=com" read
  by group.exact="cn=Admins,ou=Groups,dc=example,dc=com" write
  by * none

to assign privileges to all attrs (including entry, children) of the parent entry (which has objectClass=organizationalUnit) and of all entries having a "someattr" attribute.

A useful tool to display access rights is slapacl. For example, we could use:

slapacl -b "ou=TestBranch,dc=example,dc=com" -D "uid=usr,ou=people,dc=example,dc=com"

to view in detail the access rights to each and every attribute of that particular entry by that particular user DN.