[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL: protect entry but not children



About GQ: I used a Suse package and didn't look at compiling it 
myself ;-)

> ACL's are access control lists. For every search an LDAP server does, it
> goes through it's ACL's. Sequentially, in the case of OpenLDAP. For
> OpenLDAP, you store the ACL's inside the slapd.conf file. For iPlanet,
> they are stored in the LDAP directory itself.
... and, openldap is in the process of doing the samen (ACI's).
> 
> For each request, OpenLDAP will go through the ACL's from top to
> bottom until it finds a match. Then it will stop and go no further.
... unless you make use of the 'control' statement in the ACL.

{snip}
> 
> OpenLDAP ACL's can contain regular expressions to match strings in
> a more powerful way, so that you do not need to write so many ACL
> lines.

Thank you. I am using regular expressions, as you can see.
If you know of a way to write things shorter and more elegant, I'd 
love to hear it.

My main stumbling blocks are:

- How do you stop people from modifying an entry, but still be able 
to add, delete and modify children of that entry ?

- How do you prohibit the creation of certain entries, for instance, 
how do you prohibit creation of 
"luser=someone,dc=example,dc=com"

but allow creation of 

"user=someone,dc=example,dc=com"

and, by the way, also disallow the creation of

"myattr=something,user=someone,dc=example,dc=com"

- What is the difference between
access to dn=".*,dc=example,dc=com"

access to dn="dc=example,dc=com" attrs=children

access to dn.children="dc=example,dc=com"

access to dn.subtree="dc=example,dc=com"

access to dn="dc=example,dc=com"

- does the following make any sense:

access to dn.children="dc=example,dc=com" attrs=children

and if, what does it do ?

_thanks for all your help !

ace