Hi,
Just wanted to ask/clarify about few things related to ACLs:
1) @extensibleObject
In one of the faq entries, namely:
https://www.openldap.org/faq/data/cache/1140.html
there is a construct that looks superfluous:
access to dn.onelevel="cn=bar,ou=Stuff,dc=example,dc=com" attrs=entry,@extensibleObject
Doesn't @extensibleObject include everything - entry, children and regular attributes - by default ?
That's what I'd imply from the official documentation that states that not explicitly specifying attrs= is equivalent to attrs=@extensibleObject
If so, then the above is equivalent to just: access to dn.onelevel="cn=bar,ou=Stuff,dc=example,dc=com"
2) entry pseudo-attribute vs writing to regular attributes
This is one thing that somewhat surprises me - as the read/search access explicitly requires relevant access to entry pseudo-attribute (as per OPERATION REQUIREMENTS from slapd.access manpage).
The write access on the other hand doesn't mention any requirements besides add/delete/write to the attribute itself. This actually holds true right ?
3) attr based access
In one of the examples (8.4.5. Granting access to a subset of attributes), question regarding:
# immediate children: only self can add/delete entries under this entry access to attrs=children by self write
# entry itself: self may write, all may read access to attrs=entry by self write by * read
They still do require other ACLs, as "selfs" in both cases are different, right ? E.g. if self matches parent, it won't match children being created and vice-versa (and as per the manual page - 'add' is required both for parent's 'children' as well as new entry's 'entry'). ITOW if we bind as the entity wanting to create new entry underneath, the above is not enough - and we need something more elaborate like in e.g. address book example.
4) access rights required for deeper searches
suppose we have structure like:
ou=A, dc=example, dc=com ou=B, ou=A, dc=example, dc=com uid=msl, ou=B, ou=A, dc=example, dc=com
If we do search for uid using 'ou=A, dc=example, dc=com' as a search base (with subtree scope), what (if any) access rights do we need on 'ou=B, ou=A, dc=example, dc=com' ?
5) sets
Is this feature assumed safe to use ? As - it's still formally undocumented (man pages), but there are examples on the website and syntax explanation in the faq.