On 25/5/2012 6:44 μμ, Philip Guenther wrote:
Because that's a popular style of ACL processing logic to use for
attributes. As you note, this is done in "most cases", i.e., not all, so
obviously there nothing in the software that requires it.
I'm not sure why the ACLs for entry and children that you tend to see use
that style, but if I recall correctly, they weren't part of the original
ACL design but rather were added in OpenLDAP 2.2 (or maybe 2.3?), so this
may be the result of ACL sets being retrofitted during upgrades.
Thank you Philip, I hope someone can provide some more information on
why "that's a popular style of ACL processing logic to use for those
attributes." (i.e. entry and children pseudo-attrs).
I am wondering: if there is (or there was) nothing in the software that
requires (required) it, why such a style has developed?
Yes, though you should review any rules without an attrs= clause
carefully to check whether they're setting the rights for the
children/entry pseudo-attributes unexpectedly.
You mean that if we use a <what> statement without an "attrs=" clause,
then it affects children and entry pseudo-attributes as well? And what
if there is a filter specified too (still without an "attrs=" clause)?
I'm not sure what you mean by "determined implicitly"
here, so I can't
What I meant was exactly that (see above): if e.g. we use a <what>
statement without an "attrs=" clause, then it affects children and entry
pseudo-attributes as well?