[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Adding a new entry vs. adding a new attribute
At 06:02 PM 12/9/99 -0500, Joe Sabu wrote:
>I thought by specifying "attrs=children", you get complete access to the
>subtree under the specified DN.
No. Write access to the entry's parent is required to
add, delete, or modrdn the entry.
>Apparently, I can only add new, but not
>modify existing.
You permission to write to the entry (and the particular attributes
of the entry) to add, modify, delete attributes of an entry.
>2)
>
>Will somebody also explain how to use "dnattr" and "attr=entry".
attr=entry is used to grant privledges acting upon the entry
itself. Example:
access to attr=entry
by self write
by dn=".+" read
by * none
grants users write over their own entry, authenticated users
read access over all entries, and others (anonymous) no access.
Note: you still need to grant access to particular attributes.
dnattr is used to specify who is granted privledges based upon
the value of the attribute specified by dnattr.
For example:
access to *
by self write
by dnaddr=owner write
by dnaddr=member read
by * none
grants users write over their own entry and attributes, owners
(as listed in the owner attribute) write access, members read,
and others none.
dnattr is often used to create self managed lists:
access to attr=member,entry
by dnattr=member selfwrite
You may want to review:
http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/5.html#RTFToC20
Note that the examples are not properly formatted (no leading
spaces on continuation lines) and regex won't properly match
normalized DNs, but the descriptions of how things basically
work is okay.
----
Kurt D. Zeilenga <kurt@boolean.net>
Net Boolean Incorporated <http://www.boolean.net/>