[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL attr=children problem
On Wed, 2005-11-16 at 15:48 +0100, Jimmy Ott wrote:
> > Did you read slapd.access(5)? If you didn't, go and do it. If you did,
> > you might have misunderstood the meaning of the pseudo-attribute
> > "children".
> i've read it a few times, but so i've misunderstood it, my english isn't
> very good.
>
> quote: "The statement attrs=<attrlist> selects the attributes the access
> control rule applies to. It is a comma-separated list of attribute
> types, plus the special names entry, indicating access to the entry
> itself, and children, indicating access to the entry's children"
>
> what are the entry's children? not child objects of an ou?
> and what is the right approach for my problem?
You should go a little below. "children" grants access to child objects
for the appropriate operations, i.e. to add a child or delete one. They
have nothing to do with accessing the child entry itself. It's the
"entry" pseudo-attribute that refer to the object itself (i.e., for a
search, to the possibility to return the DN).
If you look at the "OPERATION REQUIREMENTS" section, you'll see what
access to what entities is required for each operation and each
operation phase. Since you're using an old (and patched by the packager
and known to be buggy) version, this section may be incomplete or even
not present, I don't recall. In that case, I suggest you grab a more
recent version (e.g. the one from OpenLDAP 2.2.29, or even from the 2.3
branch, although in that case there might be small nd subtle
differences). You may even feel like upgrading :)
p.
Ing. Pierangelo Masarati
Responsabile Open Solution
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------