[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL: protect entry but not children

To: openldap-software@OpenLDAP.org
Subject: Re: ACL: protect entry but not children
From: "Ace Suares" <ace@suares.com>
Date: Sun, 8 Sep 2002 11:16:37 -0400
Content-description: Mail message body
In-reply-to: <1031471143.1407.43.camel@billy.demon.nl>
References: <3D7A28B8.935.FF8317@localhost>

Ha Tony,

> 
> Actually, I'm not quite sure what the problem was in the first place.

The main problem is that I can not find any good documentation about 
ACL's.

> I find it obvious and self explanatory.

That's where we differ - although I work with computers and software 
for more then 20 years now, I have been very much confused with LDAP 
ACL's. Have never used NDS, though. Maybe a lack in education ;-)

What is, for instance, the difference between

A.
access to dn=".*,dc=example.dc=com"
	by users write

and 

B.
access to dn="dc=example.dc=com" attrs=children
	by users write

???

Experimenting with these ACL's and LdapExplorer to repeateadly and 
hoepfully systematically testing things, I came up with the 
following diagram:
A.

dc=example,dc=com             - no access
|
|-dc=www,dc=example,dc=com    - can modify, but not add or delete.
|   |
|   |-server=localhost,dc=www,dc=example.com -- add, delete, modify


B.
dc=example,dc=com             - no access
|
|-dc=www,dc=example,dc=com    - can add or delete, not modify
|   |
|   |-server=localhost,dc=www,dc=example.com -- ??


Actually, I am not even sure that's exactly how it is.

As you see, I am "confused and dazed, but trying to continue".

And how does

dn.children="dc=example,dc=com" 

differ from

dn="dc=example,dc=com" attrs=children 

?


> Again I'd point out that it's hard to get a visual idea of an LDAP
> hierarchy without drawing it on "paper" first. In this respect, I don't

Oh, we've drawn a whole lot on paper :-(

> think I'd have got as far as I have with LDAP (I'm still in the
> kindergarten, by the way) without GQ to practice dragging and dropping
> on and telling me what is allowed and not. Then one can go ahead with

Emperical Science is Great, but hey, there must be Exact rules for 
all this... I just can't find them !

> the Openldap clients and confirm things. GQ also gives excellent
> instruction in what objectClasses and attributes are allowed together
> and what's allowed in those attributes. And why, which is the most
> important bit.

I haven't used GQ, I'll look into that, thanks.

Cheers,
ace

Follow-Ups:
- Re: ACL: protect entry but not children
  - From: "Ace Suares" <ace@suares.com>
- Re: ACL: protect entry but not children
  - From: "Ace Suares" <ace@suares.com>

References:
- Re: ACL: protect entry but not children
  - From: "Ace Suares" <ace@suares.com>
- Re: ACL: protect entry but not children
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: Re: BackUp on-line
Next by Date: RE: remote searches
Index(es):
- Chronological
- Thread