OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Access Control : More information about Access Control :
Specifying the target<what> ::= * | [dn[.<style>]=<dnspec>] [filter=<ldapfilter>] [attrs=<attrlist>]Well, we see our target is composed of three optional parts. The first part specifies a condition based on the position of the entry in the Directory Information Tree or a match against the distinguished name of the entry. The second part defines a condition that the attributes in the entry must fulfil and is specified as an LDAP filter. The third part defines whether the access clause affects access to the whole entry (if absent) or only some part of it. The match against the the distinguished name can be done in several styles:
<style> ::= regex | base | one | subtree | childrenThe default style is regex that means that the provided value should be interpreted as a regular expression the distinguished name of the entry should match. This was the only method supported in prior OpenLDAP versions. It is possible to select parts of the matched string and keep the matched parts for later substitution. We do this by enclosing those parts in parentheses. Later we will be able to recall the first matched part as $1, the second matched part as $2, etc.
Most access clauses do not need the full generality of regular expressions and even are cumbersome to write using regular expressions. For this reason several other styles are provided: use base if your access should affect just the entry named by the provided value, one to select those entries that are the immediate descendants of the entry named by the provided value, subtree to select the indicated entry plus all descendants recursively and children to select all descendants recursively but excluding the entry itself. Instead of using the dn= part you may simply specify an asterisk that is understood to be equivalent to dn.regex=.*.
We pointed out before that the access clause could be for the whole entry or just part of it. The latter case happens when we indicate an attribute list:
<attrlist> ::= <attr> | <attr> , <attrlist> <attr> ::= <attrname> | entry | childrenNormal attribute names should speak for themselves (what happens with subtypes?). You need entry access for every operation that affects the entry. In particular, you need read access to the entry if you want to retrieve values from it and you need auth access to the entry if you want to as it. Apparently, you do not need entry access to modify the values in the entry itself. Someone, possibly me, has overlooked something.
You need write access to children if you want to add, delete or rename children, including changing the superior of an entry, where you need write access to both old and new superiors. Notice that prior versions of OpenLDAP required write access to the child entry itself for these operations to succeed. You no longer need this, though the old behaviour can be restored by recompilation.