Re: deleting ACL

[Pierangelo Masarati <masarati@aero.polimi.it>]

> Yes, that's what I meant (sorry if I was not clear!), and yes I thought 
> there was no way to separate from add/delete from modify permissions at the 
> attribute level. However, could I specify a single user to add/delete? How 
> can I do that?

I think you should read carefully the slapd.access man page that comes 
with HEAD code 

http://www.openldap.org/devel/cvsweb.cgi/doc/man/man5/slapd.access.5

or have a look at the FAQ (a bit older, but basically correct)

http://www.openldap.org/faq/data/cache/447.html

because there are so many specific cases you may want to configure 
access for.  Basically you may want to give access to a specific 
set of attributes, which may belong to a specific entry or to a 
subtree or to the whole tree.  To give a specific user write
permissions you must use its DN.

So an example ACL for attributes regardless of the entry they belong 
to is (assuming your dn is "cn=Alejandra,dc=your,dc=org"):

access to attrs=entry,mail,description
	by dn.exact="cn=Alejandra,dc=your,dc=org" write
	by * read

Note that you need "entry" access to be allowed to write the attributes
(here write means add/modify/delete)

If you want to give access to the same attributes but only in the 
"ou=Foo" subtree:

access to dn.subtree="ou=Foo,dc=your,dc=org" attrs=entry,mail,description
	by dn.exact="cn=Alejandra,dc=your,dc=org" write
	by * read

You can make this ACL much more powerful by defining a group of people
with the same access rights and by delegating access to the members
of the group.

Pierangelo.