On 29. sep. 2016 17:37, Ralf Mattes wrote:
Am Donnerstag, 29. September 2016 17:20 CEST, Dieter Klünter dieter@dkluenter.de schrieb:
The reference is RFC3866
That's the RFC for language and range tags, IIRC. What has this to do with the syntax of OpenLDAPs access control rules?
I do believe Dieter is talking about what the doc ought to be saying but doesn't, since like me he knows LDAP to well to notice:-) I'll file an ITS with a doc bug.
Briefly: "attributes" in indexes and ACLs generally refer to attribute descriptions _and their subtypes_. An attribute description is an attribute type optionally followed by ;options, which are an extension of the original concept of ;language tags. A type with a language tag or user-defined ;option is a sub-type of the original type, just like "cn" is a subtype of "name".
E.g. cn;x-hidden is a subtype of cn, if you've defined x-hidden. And so you can use access control rules on it, and the rules for plain "cn" will apply if a rule for cn;x-hidden doesn't match first.