On 27/5/2012 10:25 μμ, Nick Milas wrote:
For example, you could set up an ACL with a filter clause and answer your own question about whether that affects the attrs matched.
OK, I'll do it.
I owe an answer on this; I have done the required research and found that if we use an ACL of the form:
access to <dn>.<scope> filter=<some filter>
(i.e. without "attrs=" clause), then it DOES include entry, children pseudo-attributes, for all matching entries (according to filter).
For example, we could use a statement like (devised to illustrate the case):
acces to dn.subtree="ou=TestBranch,dc=example,dc=com" filter="(|(objectClass=organizationalUnit)(someattr=*))" by dn.exact="uid=usr,ou=people,dc=example,dc=com" read by group.exact="cn=Admins,ou=Groups,dc=example,dc=com" write by * none
to assign privileges to all attrs (including entry, children) of the parent entry (which has objectClass=organizationalUnit) and of all entries having a "someattr" attribute.
A useful tool to display access rights is slapacl. For example, we could use:
slapacl -b "ou=TestBranch,dc=example,dc=com" -D "uid=usr,ou=people,dc=example,dc=com"
to view in detail the access rights to each and every attribute of that particular entry by that particular user DN.
Nick