Add the new ACI keyword "targetcontrol" that can be used to enforce access
based on the OID of a control. For example, a new global access control rule
is also being added:
ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 ||
2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2")
(version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
which allows anonymous access to the following controls:
- Manage DSA IT (2.16.840.1.113730.3.4.2)
- Real Attributes Only (2.16.840.1.113730.3.4.17)
- Virtual Attributes Only (2.16.840.1.113730.3.4.19)
- LDAP No-Op Control (1.3.6.1.4.1.4203.1.10.2)
A wildcard can also be specified. The following ACI rule allows access to all controls:
(targetcontrol="*") (version 3.0; acl "All control access example";
allow(read) userdn="ldap:///self";)
This ACI could be put on a users entry -- it doesn't need to be a global ACI.
Issue #452.
