..{{EX:objectclass: organizationalRole}}
..{{EX:cn: Manager}}
-. Be sure to replace {{EX:<MY-DOMAIN>}} and {{EX:<COM>}} with the appropriate domain
-components of your domain name. {{EX:<MY ORGANIZATION>}} should be replaced
-with the name of your organization. If you cut and paste, be sure
-to trim any leading and trailing whitespace from the example.
+. Be sure to replace {{EX:<MY-DOMAIN>}} and {{EX:<COM>}} with the
+appropriate domain components of your domain name. {{EX:<MY
+ORGANIZATION>}} should be replaced with the name of your organization.
+When you cut and paste, be sure to trim any leading and trailing
+whitespace from the example.
..{{EX:dn: dc=example,dc=com}}
..{{EX:objectclass: dcObject}}
> attrs=<attribute list>
-Access to the entry itself must be granted or denied using the
-special attribute name "{{EX:entry}}". Note that giving access to an
-attribute is not enough; access to the entry itself through the
-{{EX:entry}} attribute is also required. The complete examples at
-the end of this section should help clear things up.
+There are two special {{psuedo}} attributes {{EX:entry}} and
+{{EX:children}}. To read (and hence return) an target entry, the
+subject must have {{EX:read}} access to the target's {{entry}}
+attribute. To add or delete an entry, the subject must have
+{{EX:write}} access to the entry's parent's {{EX:children}} attribute.
+To rename an entry, the subject must have {{EX:write}} access to
+both the old parent's and new parent's {{EX:children}} attributes.
+The complete examples at the end of this section should help clear
+things up.
Lastly, there is a special entry selector {{EX:"*"}} that is used to
select any entry. It is used when no other {{EX:<what>}}
projects / openldap / commitdiff