[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL: protect entry but not children



Ha Tony,

> 
> Actually, I'm not quite sure what the problem was in the first place.

The main problem is that I can not find any good documentation about 
ACL's.

> I find it obvious and self explanatory.

That's where we differ - although I work with computers and software 
for more then 20 years now, I have been very much confused with LDAP 
ACL's. Have never used NDS, though. Maybe a lack in education ;-)

What is, for instance, the difference between

A.
access to dn=".*,dc=example.dc=com"
	by users write

and 

B.
access to dn="dc=example.dc=com" attrs=children
	by users write

???

Experimenting with these ACL's and LdapExplorer to repeateadly and 
hoepfully systematically testing things, I came up with the 
following diagram:
A.

dc=example,dc=com             - no access
|
|-dc=www,dc=example,dc=com    - can modify, but not add or delete.
|   |
|   |-server=localhost,dc=www,dc=example.com -- add, delete, modify


B.
dc=example,dc=com             - no access
|
|-dc=www,dc=example,dc=com    - can add or delete, not modify
|   |
|   |-server=localhost,dc=www,dc=example.com -- ??


Actually, I am not even sure that's exactly how it is.

As you see, I am "confused and dazed, but trying to continue".

And how does

dn.children="dc=example,dc=com" 

differ from

dn="dc=example,dc=com" attrs=children 

?


> Again I'd point out that it's hard to get a visual idea of an LDAP
> hierarchy without drawing it on "paper" first. In this respect, I don't

Oh, we've drawn a whole lot on paper :-(

> think I'd have got as far as I have with LDAP (I'm still in the
> kindergarten, by the way) without GQ to practice dragging and dropping
> on and telling me what is allowed and not. Then one can go ahead with

Emperical Science is Great, but hey, there must be Exact rules for 
all this... I just can't find them !

> the Openldap clients and confirm things. GQ also gives excellent
> instruction in what objectClasses and attributes are allowed together
> and what's allowed in those attributes. And why, which is the most
> important bit.

I haven't used GQ, I'll look into that, thanks.

Cheers,
ace