Sent: Thu May 24 2012 07:38:35 GMT-0400 (EDT)
From: Turbo Fredriksson <turbo@bayour.com>
To: openldap-technical@openldap.org
Subject: Re: dn.exact vs dn.base
[sorry, should have gone to the list]

On Thu, 24 May 2012 14:02:28 +0300, Nick Milas wrote:


access to dn.base="ou=system,dc=example,dc=com"
   by dn.exact="uid=userx,ou=people,dc=example,dc=com" write

This gives 'uid=userx,...' access to 'ou=system,...' _and everything
below it_.

access to dn.exact="ou=system,dc=example,dc=com"
   by dn.base="uid=userx,ou=people,dc=example,dc=com" write

While this is the opposite - it gives 'uid=userx,...' and any objects below
this (not much point in this exact example :) to ONLY the base object
'ou=system,...'.
Your'e thinking of dn.subtree. dn.base only applies to the specific entry.