[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL: protect entry but not children



Allow me to try and answer my own question :-|

> Given a subtree "dc=example,dc=com"
> we want to be able to add sub-entries to that tree, but at the same 
> time we want to protect the "dc=example,dc=com" itself.
> If possible without naming all attributes.
> 
a real-life solution:

# this lets you auth
# and lets you modify existing admins
# the .one is to protect any (illegal) sublevels)
access to dn.one="users=managers,aservice=_managers,application=cc"
   by group="group=managers,aservice=_managers,application=cc" write
   by anonymous auth

# this lets you add and delete admins
access to dn="users=managers,aservice=_managers,application=cc" 
attrs=children
   by group="group=managers,aservice=_managers,application=cc" write

# This protects the entry
access to dn="users=managers,aservice=_managers,application=cc"
   by group="group=managers,aservice=_managers,application=cc" read

-------

Is this a good way to do it ?
Are there smarter ways ?

If you think it's the right solution, I'll make a faq entry for it.
(but with generalized identiefiers, like example.com)
_Ace