[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unclear attribute: entry



Klaus Ethgen <klaus+usenet@ethgen.de> writes:

> Hi,
>
> Dieter Kluenter <dieter@dkluenter.de> schrieb:
>>> So my question is what is the rights that are needed for which entry
>>> attribute (in tree) to allow read, write, search or other access to
>>> other attributes?
>> entry and children are so called pseudo attributes. They are mainly
>> used to allow access to children of an entry. As example you have an
>> entry ouers,dcample,dcm and want to allow access to children
>> of this entry but no read or write access to the entry itself, a rule
>> set could be
>>
>> access to dn.onelevelers,dcample,dcm
>>        by users write
>>        by anonymous auth
>> access to dn.baseers,dcample,dcm attrstry,children
>>        by users write
>>        by anonymous auth
>
> Thanks for your answer. But it do not makes that clear for me. I did
> found some examples with entry and children but the description about
> ist not clear for me.
>
> The children attribute might be somewhat clear. But the real mysteric is
> the entry attribute and as the logic seems to be somewhat identical also
> the real meaning of children.
>
> For example:
> [1] access to attrs=sn
> 	   by * read
>
> [2] access to attrs=entry,sn
>            by * read
>
> [1] will not allow to read the attribute sn. Only with [2] that will
> work. However, _I_ would expect that all attributes of that particular
> entry would be readable with [2] but only the sn attribute with [1]. And
> exactly there is my problem with the understanding.

Well, if [1] doesn't allow read access then there are other rules
which prevent this.
The only function of the pseudo attributes entry and children is to
allow the access parser to check whether the referenced object and
subentries exist. Just to give an example, the last acl rule of my
slapd.conf is 

access to dn.base="o=avci,c=de" attrs=entry,children
        by group.exact="cn=Administratoren,o=avci,c=de" write
        by users read
        by anonymous auth

A search with base o=avci,c=de and scope subtree results in the
following acl parsing: 
=> access_allowed: search access to "o=avci,c=de" "entry" requested

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de 
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6