Re: deleting ACL

[Daniel Tiefnig <openldap@qmail.infonova.at>]

Alejandra Moreno wrote...:
> And how can this be implemented for the LDAP entries?

something like

access to dn=".*,dc=parent,dc=com"
       by * write

gives everybody write access to entries stored below "dc=parent,dc=com", 
(e.g. "uid=foo,dc=parent,dc=com") but not to "dc=parent,dc=com" it self. 
of course you can restrict access by specifying something else than "*" 
in the second line..

hth,
daniel

> At 12:40 14.01.2002 +0000, you wrote:
> 
>>Alejandra Moreno wrote...:
>>
>> > I'm not sure, but is there a way to create an ACL to distinguish
>> > between writing and deleting? I want to give writing permission,
>> > but not deleting permission. 
>>
>>depends on what you think that "writing" is.. if you want to
>>distinguish between creating and deleting, the answer should be no,
>>i think. but if you want to "write to" an entry (meaning you want
>>to change some of its attributes) thats a completely different
>>thing. access handling can be compared fairly straight forward to
>>UNIX file permissions in this case.. if you have write access for
>>the directory, you can add and delete all files there.
>>but you can change the _content_ of a file (if the file permissions
>>allow it) also if you do not have write permissions to the
>>directory. what means you may modify the file, but not delete it..
>>(which is possibly what you want)