ACL (dnattr) usage

[Turbo Fredriksson <turbo@bayour.com>]

I'm trying to rewrite some ACL's to be more generic, so I've created
an attribute called 'administrator' (I _could_ have used 'owner', but
I've forgot about that).

My Base DN is 'dc=com'. Under that I have 'dc=bayour' (=> dc=bayour,dc=com).

In the 'dc=bayour' object I have

        dn: dc=bayour,dc=com
        administrator: uid=frans,ou=People,dc=bayour,dc=com

Trying to add a user object (with the DN uid=test,ou=People,dc=bayour,dc=com)
doing a simple bind as 'uid=frans,ou=People,dc=bayour,dc=com' fails (see below)!

The ACL looks like:
        access to dn="ou=People,dc=bayour,dc=com"
                by dnattr=administrator write
                by * read

The attribute looks like:
        attributetype ( 1.3.6.1.4.1.8767.3.2.4.4 NAME 'administrator'
                DESC 'Administrator for branch'
                SUP owner)

Running slapd in debug mode shows this:

------ s n i p -----
=> access_allowed: write access to "ou=People,dc=bayour,dc=com" "children" requested
=> dnpat: [1] ou=People,dc=bayour,dc=com nsub: 0
=> acl_get: [1] matched
=> acl_get: [1] check attr children
<= acl_get: [1] acl ou=People,dc=bayour,dc=com attr: children
=> acl_mask: access to entry "ou=People,dc=bayour,dc=com", attr "children" requested
=> acl_mask: to all values by "UID=FRANS,OU=PEOPLE,DC=BAYOUR,DC=COM", (=n) 
<= check a_dn_at: administrator
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: write access denied by read (=rscx)
====> cache_return_entry_w( 248 ): returned (0)
no write access to parent
------ s n i p -----

What does '"children" requested' actually mean?