[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL: preventing member deletion?



Hi,

I'm trying to set up ACL for my openldap server. I've ou=people that
contains users and ou=group that contains members. I've created a
"cn=administrators,ou=group,dc=company,dc=com" with the following members:
member: uid=admin1, ou=people,dc=company,dc=com
member: uid=admin2, ou=people,dc=company,dc=com
member: uid=admin3, ou=people,dc=company,dc=com

The ACL in slapd.conf is configured as shown below. Currently any member in
the administrator group can delete any one in that group. Is there anyway to
restrict access such that each member cannot delete other member's entry,
while still allowing the all members in the administrator group to be able
to see "*,ou=group,dc=company,dc=com" entries.

Thanks for your help.

defaultaccess none

access to attr=userpassword
 by self write
 by group="cn=administrators,ou=group,dc=company,dc=com" write
 by * none

access to dn=".*,ou=people,dc=company,dc=com"
 by self write
 by group="cn=administrators,ou=group,dc=company,dc=com" write
 by dn=".*,ou=people,dc=com,dc=com" read
 by * none

access to dn=".*,dc=company,dc=com"
 by group="cn=administrators,ou=group,dc=company,dc=com," write
 by * none