On 27/5/2012 10:25 μμ, Nick Milas wrote:
> For example, you could set up an ACL with a filter clause and
> answer your own question about whether that affects the attrs matched.
OK, I'll do it.
I owe an answer on this; I have done the required research and found
that if we use an ACL of the form:
access to <dn>.<scope> filter=<some filter>
(i.e. without "attrs=" clause), then it DOES include entry, children
pseudo-attributes, for all matching entries (according to filter).
For example, we could use a statement like (devised to illustrate the
acces to dn.subtree="ou=TestBranch,dc=example,dc=com"
by dn.exact="uid=usr,ou=people,dc=example,dc=com" read
by group.exact="cn=Admins,ou=Groups,dc=example,dc=com" write
by * none
to assign privileges to all attrs (including entry, children) of the
parent entry (which has objectClass=organizationalUnit) and of all
entries having a "someattr" attribute.
A useful tool to display access rights is slapacl. For example, we could
slapacl -b "ou=TestBranch,dc=example,dc=com" -D
to view in detail the access rights to each and every attribute of that
particular entry by that particular user DN.