[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unclear attribute: entry

To: openldap-technical@openldap.org
Subject: Re: Unclear attribute: entry
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Fri, 06 Aug 2010 12:07:55 +0200
In-reply-to: <slrni5kvc7.l2s.klaus+usenet@ikki.ethgen.de> (Klaus Ethgen's message of "Thu, 5 Aug 2010 09:59:51 +0100")
References: <slrni5ibt2.u5v.klaus+usenet@ikki.ethgen.de> <87hbjaxuly.fsf@magenta.l4b.de> <slrni5kvc7.l2s.klaus+usenet@ikki.ethgen.de>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b29 (linux)

Klaus Ethgen <klaus+usenet@ethgen.de> writes:

> Hi,
>
> Dieter Kluenter <dieter@dkluenter.de> schrieb:
>>> So my question is what is the rights that are needed for which entry
>>> attribute (in tree) to allow read, write, search or other access to
>>> other attributes?
>> entry and children are so called pseudo attributes. They are mainly
>> used to allow access to children of an entry. As example you have an
>> entry ouers,dcample,dcm and want to allow access to children
>> of this entry but no read or write access to the entry itself, a rule
>> set could be
>>
>> access to dn.onelevelers,dcample,dcm
>>        by users write
>>        by anonymous auth
>> access to dn.baseers,dcample,dcm attrstry,children
>>        by users write
>>        by anonymous auth
>
> Thanks for your answer. But it do not makes that clear for me. I did
> found some examples with entry and children but the description about
> ist not clear for me.
>
> The children attribute might be somewhat clear. But the real mysteric is
> the entry attribute and as the logic seems to be somewhat identical also
> the real meaning of children.
>
> For example:
> [1] access to attrs=sn
> 	   by * read
>
> [2] access to attrs=entry,sn
>            by * read
>
> [1] will not allow to read the attribute sn. Only with [2] that will
> work. However, _I_ would expect that all attributes of that particular
> entry would be readable with [2] but only the sn attribute with [1]. And
> exactly there is my problem with the understanding.

Well, if [1] doesn't allow read access then there are other rules
which prevent this.
The only function of the pseudo attributes entry and children is to
allow the access parser to check whether the referenced object and
subentries exist. Just to give an example, the last acl rule of my
slapd.conf is 

access to dn.base="o=avci,c=de" attrs=entry,children
        by group.exact="cn=Administratoren,o=avci,c=de" write
        by users read
        by anonymous auth

A search with base o=avci,c=de and scope subtree results in the
following acl parsing: 
=> access_allowed: search access to "o=avci,c=de" "entry" requested

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de 
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

References:
- Re: Unclear attribute: entry
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: Capturing events in OpenLDAP
Next by Date: Re: Unclear attribute: entry
Index(es):
- Chronological
- Thread