Re: deleting ACL

[Alejandra Moreno <alejandra.moreno@atrete.ch>]

but this way you don't distinguish between writing and 
deleting!

Regards,
Alejandra

At 13:00 14.01.2002 +0000, you wrote:

> Alejandra Moreno wrote...:
> > And how can this be implemented for the LDAP entries?
>
> something like
>
> access to dn=".*,dc=parent,dc=com"
>        by * write
>
> gives everybody write access to entries stored below
> "dc=parent,dc=com", 
> (e.g. "uid=foo,dc=parent,dc=com") but not to
> "dc=parent,dc=com" it self. 
> of course you can restrict access by specifying something else than
> "*" 
> in the second line..
>
> hth,
> daniel
>
> > At 12:40 14.01.2002 +0000, you wrote:
> > 
> >>Alejandra Moreno wrote...:
> >>
> >> > I'm not sure, but is there a way to create an ACL to
> distinguish
> >> > between writing and deleting? I want to give writing
> permission,
> >> > but not deleting permission. 
> >>
> >>depends on what you think that "writing" is.. if you
> want to
> >>distinguish between creating and deleting, the answer should be
> no,
> >>i think. but if you want to "write to" an entry
> (meaning you want
> >>to change some of its attributes) thats a completely
> different
> >>thing. access handling can be compared fairly straight forward
> to
> >>UNIX file permissions in this case.. if you have write access
> for
> >>the directory, you can add and delete all files there.
> >>but you can change the _content_ of a file (if the file
> permissions
> >>allow it) also if you do not have write permissions to the
> >>directory. what means you may modify the file, but not delete
> it..
> >>(which is possibly what you want)

______________________________________________________________________
Alejandra Moreno Espinar
at rete ag

mailto:alejandra.moreno@atrete.ch, http://www.atrete.ch
snail mail: Oberdorfstrasse 2, P.O. Box 674, 8024 Zurich, Switzerland
voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55 88
_____________________________________________________________________