[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to allow an attribute to be cleared, but not changed to something else?

On 01/07/2010 17:48, Tim Gustafson wrote:
If you mean a normal user which application-wise is granted
higher privileges by ACLs, you need to make use of the granular
"a" (add) and "z" (zap) privileges (their union is "w", write).

Pardon my thickness, but the documentation at http://www.openldap.org/doc/admin24/access-control.html specifically calls out the possible values of the "level" part of the ACL clause:

<level>  ::= none | disclose | auth | compare | search | read | write | manage

Is this an undocumented feature?  Should perhaps the documentation be updated, or maybe an example of this sort of ACL included in the examples section?

This syntax is not a "level" but a "priv". From the slapd.access(5) man page:
<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+

The online admin guide does seem to be out of date on this subject...

Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org