[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL: protect entry but not children
Allow me to try and answer my own question :-|
> Given a subtree "dc=example,dc=com"
> we want to be able to add sub-entries to that tree, but at the same
> time we want to protect the "dc=example,dc=com" itself.
> If possible without naming all attributes.
>
a real-life solution:
# this lets you auth
# and lets you modify existing admins
# the .one is to protect any (illegal) sublevels)
access to dn.one="users=managers,aservice=_managers,application=cc"
by group="group=managers,aservice=_managers,application=cc" write
by anonymous auth
# this lets you add and delete admins
access to dn="users=managers,aservice=_managers,application=cc"
attrs=children
by group="group=managers,aservice=_managers,application=cc" write
# This protects the entry
access to dn="users=managers,aservice=_managers,application=cc"
by group="group=managers,aservice=_managers,application=cc" read
-------
Is this a good way to do it ?
Are there smarter ways ?
If you think it's the right solution, I'll make a faq entry for it.
(but with generalized identiefiers, like example.com)
_Ace