[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL changes for add/delete/rename and back-shell



At 12:14 PM 2002-10-08, Kurt D. Zeilenga wrote:
>At 12:08 PM 2002-10-08, Howard Chu wrote:
>>> -----Original Message-----
>>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>>
>>> At 11:41 AM 2002-10-08, Howard Chu wrote:
>>> >What does entry write access mean when adding an entry?
>>> This lets you set up an ACL that says someone can/cannot
>>> create a specific entry?
>>>
>>> Yes.
>>>   access to dn.one="ou=people,o=foo" attr=entry
>>> filter=(objectClass=person)
>>>     by dn="ou=manager,o=foo" write
>>>     by * read
>>>
>>> means that only "ou=manager,o=foo" can add person objects
>>> directly under "ou=people,o=foo" (assuming "ou=manager,o=foo"
>>> also has "children" write access to "ou=people,o=foo").
>>
>>That all sounds good, but it also sounds like extra rules are now needed.
>>I.e., if I have an existing set of ACLs that grants
>>
>>        access to dn="ou=people,o=foo" attr=children
>>           by dn="ou=manager,o=foo" write
>>           by * read
>>
>>but I don't have the corresponding attr=entry ACL from above, then
>>"ou=manager,o=foo" can't actually create any children of "ou=people,o=foo" ?
>
>Correct.

I note that since most authzdn able to add entries have
write to attrs=* on those entries, few ACLs will actually
have to change due to this.  Probably the biggest gothcha
is on those who have existing attrs=entry read (only) ACLs.

Anyways, I'm leaning on releasing it in the next 2.1
patch release...  Or is it time to lock down 2.1 to bug
fixes and targeting features such as this to 2.2?

Kurt