[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL: protect entry but not children
About GQ: I used a Suse package and didn't look at compiling it
myself ;-)
> ACL's are access control lists. For every search an LDAP server does, it
> goes through it's ACL's. Sequentially, in the case of OpenLDAP. For
> OpenLDAP, you store the ACL's inside the slapd.conf file. For iPlanet,
> they are stored in the LDAP directory itself.
... and, openldap is in the process of doing the samen (ACI's).
>
> For each request, OpenLDAP will go through the ACL's from top to
> bottom until it finds a match. Then it will stop and go no further.
... unless you make use of the 'control' statement in the ACL.
{snip}
>
> OpenLDAP ACL's can contain regular expressions to match strings in
> a more powerful way, so that you do not need to write so many ACL
> lines.
Thank you. I am using regular expressions, as you can see.
If you know of a way to write things shorter and more elegant, I'd
love to hear it.
My main stumbling blocks are:
- How do you stop people from modifying an entry, but still be able
to add, delete and modify children of that entry ?
- How do you prohibit the creation of certain entries, for instance,
how do you prohibit creation of
"luser=someone,dc=example,dc=com"
but allow creation of
"user=someone,dc=example,dc=com"
and, by the way, also disallow the creation of
"myattr=something,user=someone,dc=example,dc=com"
- What is the difference between
access to dn=".*,dc=example,dc=com"
access to dn="dc=example,dc=com" attrs=children
access to dn.children="dc=example,dc=com"
access to dn.subtree="dc=example,dc=com"
access to dn="dc=example,dc=com"
- does the following make any sense:
access to dn.children="dc=example,dc=com" attrs=children
and if, what does it do ?
_thanks for all your help !
ace