RE: ACL changes for add/delete/rename and back-shell

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 11:41 AM 2002-10-08, Howard Chu wrote:
>What does entry write access mean when adding an entry?  This lets you set up an ACL that says someone can/cannot create a specific entry?

Yes.
  access to dn.one="ou=people,o=foo" attr=entry filter=(objectClass=person)
    by dn="ou=manager,o=foo" write
    by * read

means that only "ou=manager,o=foo" can add person objects
directly under "ou=people,o=foo" (assuming "ou=manager,o=foo"
also has "children" write access to "ou=people,o=foo").



>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support
>
>> -----Original Message-----
>> From: owner-openldap-devel@OpenLDAP.org
>> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt
>> D. Zeilenga
>> Sent: Tuesday, October 08, 2002 11:16 AM
>> To: openldap-devel@OpenLDAP.org
>> Subject: ACL changes for add/delete/rename and back-shell
>>
>>
>> I've tweaked the ACL system for both back-bdb and back-ldbm
>> to require "entry" write access to the entry being added,
>> deleted, or renamed.  Write access to the parent's (or parents')
>> "children" is still required.  This, especially when combined
>> with the filter clause, can provide finer grained control
>> on who can add, delete, rename what where.
>>
>> I've also modified back-shell to provide "entry-level"
>> ACLs for all operations.  This likely should be extended
>> to other programmable backends (an exercise I will leave
>> to others).
>>
>> Kurt
>>
>>
>>