[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL: protect entry but not children
Ha Tony,
>
> Actually, I'm not quite sure what the problem was in the first place.
The main problem is that I can not find any good documentation about
ACL's.
> I find it obvious and self explanatory.
That's where we differ - although I work with computers and software
for more then 20 years now, I have been very much confused with LDAP
ACL's. Have never used NDS, though. Maybe a lack in education ;-)
What is, for instance, the difference between
A.
access to dn=".*,dc=example.dc=com"
by users write
and
B.
access to dn="dc=example.dc=com" attrs=children
by users write
???
Experimenting with these ACL's and LdapExplorer to repeateadly and
hoepfully systematically testing things, I came up with the
following diagram:
A.
dc=example,dc=com - no access
|
|-dc=www,dc=example,dc=com - can modify, but not add or delete.
| |
| |-server=localhost,dc=www,dc=example.com -- add, delete, modify
B.
dc=example,dc=com - no access
|
|-dc=www,dc=example,dc=com - can add or delete, not modify
| |
| |-server=localhost,dc=www,dc=example.com -- ??
Actually, I am not even sure that's exactly how it is.
As you see, I am "confused and dazed, but trying to continue".
And how does
dn.children="dc=example,dc=com"
differ from
dn="dc=example,dc=com" attrs=children
?
> Again I'd point out that it's hard to get a visual idea of an LDAP
> hierarchy without drawing it on "paper" first. In this respect, I don't
Oh, we've drawn a whole lot on paper :-(
> think I'd have got as far as I have with LDAP (I'm still in the
> kindergarten, by the way) without GQ to practice dragging and dropping
> on and telling me what is allowed and not. Then one can go ahead with
Emperical Science is Great, but hey, there must be Exact rules for
all this... I just can't find them !
> the Openldap clients and confirm things. GQ also gives excellent
> instruction in what objectClasses and attributes are allowed together
> and what's allowed in those attributes. And why, which is the most
> important bit.
I haven't used GQ, I'll look into that, thanks.
Cheers,
ace