[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL, delete and children



At 06:40 PM 11/24/99 +0000, Manuel Guesdon wrote:
>Hello,
>
>I want to allow member of a group to add entries in for exemple dc=com but I want to allow deletion of dc=aa,dc=com only by
>members of group dc=aa,dc=com

The default model says if you have permission to delete entries
you could have added regardless if you have permission to modify
the entry itself.

You can compile with -DSLAPD_CHILD_MODIFICATION_WITH_ENTRY_ACL=1
to use a model which says that you can delete an entry if you
can modify it regardless of whether you could have added it.

>This doesn't seems to be possible as children attr is used for add and delete.

Actualy, "write" is used for add, delete, and modify.

>Is there a way to do what I want  ?

Not out of the box.

>If not, is it possible to add anothers attributes like children (may be children-add and children-delete) which will be tested
>for add or delete operation before testing children attribute (I don't know if ACL design are parts of the ldap RFC or if it's
>a "free" part).

There is some work being done by the IETF LDAPext WG
concerning Access Control Information.  We're currently
experimenting with draft specs in this area for OpenLDAP 2.0.

Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>