Quoting Pierangelo Masarati ando@sys-net.it:
Creating a simple object like this: ----- s n i p ----- dn: o=phpQLAdmin_Branch_Test,c=se objectclass: top objectclass: organization o: phpQLAdmin_Branch_Test openldapaci: 0#entry#grant;w,r,s,c;[all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se ----- s n i p -----
Adding the line: ----- s n i p ----- openldapaci: 1#entry#grant;w,r,s,c;[entry]#access-id#uid=turbo,ou=people,o=fredriksson,c=se ----- s n i p -----
Will only give me: ----- s n i p ----- ldap_add: Invalid syntax (21) additional info: openldapaci: value #1 invalid per syntax ----- s n i p -----
By quickly reading the code, it seems that the effect you desire is obtained by setting no attribute type, or by using "entry" instead of "[entry]".
Neither of this work. The first with 'no write access to entry' and the second with 'openldapaci: value #0 invalid per syntax'.
----- s n i p ----- dn: o=phpQLAdmin_Branch_Test,c=se objectclass: top objectclass: organization o: phpQLAdmin_Branch_Test openldapaci: 0#entry#grant;w,r,s,c;entry#public# openldapaci: 1#entry#grant;w,r,s,c;[all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se ----- s n i p -----
I suggest you test HEAD code to see if it fits your needs; if it does, you could enucleate a patch that backports desired features to re23, and post it to the ITS. Otherwise, you should file an ITS, requesting backporting of the desired features that are in HEAD along with their fix (if it's buggy) or enhancement (if discussion about what you consider an enhancement gains consensus).
Shouldn't the '[all]' should cover all this? If I get/have ALL access on the object, shouldn't that include entry and all it's attributes!?
I'm not quite sure how it is SUPPOSED to work, but from my view, it's broken - ACI's don't work with re23 which is a stable release... ? Using ACI's, I have to access to create objects - that's what I see any way...
And the little documentation there is on the subject doesn't tell me that I'm using it wrongly (I can live with the changes to 'one attribute per openldapaci - quite easy to programatically change).
I can have a look at HEAD, but...