On 25/5/2012 6:44 μμ, Philip Guenther wrote:
Because that's a popular style of ACL processing logic to use for those attributes. As you note, this is done in "most cases", i.e., not all, so obviously there nothing in the software that requires it.
I'm not sure why the ACLs for entry and children that you tend to see use that style, but if I recall correctly, they weren't part of the original ACL design but rather were added in OpenLDAP 2.2 (or maybe 2.3?), so this may be the result of ACL sets being retrofitted during upgrades.
Thank you Philip, I hope someone can provide some more information on why "that's a popular style of ACL processing logic to use for those attributes." (i.e. entry and children pseudo-attrs).
I am wondering: if there is (or there was) nothing in the software that requires (required) it, why such a style has developed?
Yes, though you should review any rules without an attrs= clause carefully to check whether they're setting the rights for the children/entry pseudo-attributes unexpectedly.
You mean that if we use a <what> statement without an "attrs=" clause, then it affects children and entry pseudo-attributes as well? And what if there is a filter specified too (still without an "attrs=" clause)?
I'm not sure what you mean by "determined implicitly" here, so I can't answer that.
What I meant was exactly that (see above): if e.g. we use a <what> statement without an "attrs=" clause, then it affects children and entry pseudo-attributes as well?
Thanks, Nick