Re: Fine grained access to attributes

[Dieter Klünter <dieter@dkluenter.de>]

Am Thu, 29 Sep 2016 19:14:52 +0200
schrieb Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>:

> On 29. sep. 2016 17:37, Ralf Mattes wrote:
> >Am Donnerstag, 29. September 2016 17:20 CEST, Dieter Klünter
> ><dieter@dkluenter.de> schrieb:
> >> The reference is RFC3866
> >
> > That's the RFC for language and range tags, IIRC. What has this to
> > do with the syntax of OpenLDAPs access control rules?
> 
> I do believe Dieter is talking about what the doc ought to be saying
> but doesn't, since like me he knows LDAP to well to notice:-)
> I'll file an ITS with a doc bug.
> 
> Briefly: "attributes" in indexes and ACLs generally refer to
> attribute descriptions _and their subtypes_.  An attribute
> description is an attribute type optionally followed by ;options,
> which are an extension of the original concept of ;language tags.
> A type with a language tag or user-defined ;option is a sub-type
> of the original type, just like "cn" is a subtype of "name".
> 
> E.g. cn;x-hidden is a subtype of cn, if you've defined x-hidden.
> And so you can use access control rules on it, and the rules
> for plain "cn" will apply if a rule for cn;x-hidden doesn't
> match first.

merci Hallvard, for this clarification. My intention was to make clear
that tags are part of the protocol and thus described in protocol
specific documentation i.e. IETF docs, while access rules are openLDAP
specific, thus manual pages, in particular slapd.access(5). The guide
is volunteers driven basic documentation.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E