Now we come to the target, the <what> of the
access clause:
<what> ::= * | [dn[.<style>]=<dnspec>] [filter=<ldapfilter>] [attrs=<attrlist>]
Well, we see our target is composed of three optional parts. The
first part specifies a condition based on the position of the entry in
the Directory Information Tree or a match against the distinguished
name of the entry. The second part defines a condition that the
attributes in the entry must fulfil and is specified as an LDAP
filter. The third part defines whether the access clause affects
access to the whole entry (if absent) or only some part of it. The
match against the the distinguished name can be done in several
styles:
<style> ::= regex | base | one | subtree | children
The default style is regex that means that the provided
value should be interpreted as a regular expression the distinguished
name of the entry should match. This was the only method supported in
prior OpenLDAP versions. It is possible to select parts of the
matched string and keep the matched parts for later substitution. We
do this by enclosing those parts in parentheses. Later we will be
able to recall the first matched part as $1, the second matched part
as $2, etc.
Most access clauses do not need the full generality of regular
expressions and even are cumbersome to write using regular
expressions. For this reason several other styles are provided: use
base if your access should affect just the entry named by
the provided value, one to select those entries that are
the immediate descendants of the entry named by the provided value,
subtree to select the indicated entry plus all
descendants recursively and children to select all
descendants recursively but excluding the entry itself. Instead of
using the dn= part you may simply specify an asterisk
that is understood to be equivalent to dn.regex=.*.
We pointed out before that the access clause could be for the whole
entry or just part of it. The latter case happens when we indicate an
attribute list:
<attrlist> ::= <attr> | <attr> , <attrlist>
<attr> ::= <attrname> | entry | children
Normal attribute names should speak for themselves (what
happens with subtypes?). You need entry access
for every operation that affects the entry. In particular, you need
read access to the entry if you want to retrieve values
from it and you need auth access to the entry if you want
to as it. Apparently, you do not need entry access to
modify the values in the entry itself. Someone, possibly me, has
overlooked something.
You need write access to children if you
want to add, delete or rename children, including changing the
superior of an entry, where you need write access to both
old and new superiors. Notice that prior versions of OpenLDAP
required write access to the child entry itself for these operations
to succeed. You no longer need this, though the old behaviour can be
restored by recompilation.
jsanchez@openldap.org |