[Date Prev][Date Next] [Chronological] [Thread] [Top]

Allowing ou creation



Hi,

I got a hierarcy like this:

o=basedn
ou=adressbooks
ou=domain,ou=adressbooks,o=basedn.
ou=someuserid,ou=domain,ou=adressbooks,o=basedn.

Now, I do not want to give the user the opportunity to delete the whole
ou=domain,ou=adressbooks,o=basedn

but I would like to let the user create and control an ou=someuserid
bellow this ou. 

The question then becomes:

a) If I make an ACL like this:

access to dn="ou=(.*),ou=adressbooks,o=basedn"
  by dn="uid=(.*),ou=users,ispmanDomain=$1,o=basedn" write
  by * none

Can the user then delete other entries bellow the ou=domain based on
this ACL? 

I've tried this: (using read instead of write in the above ACL)

access to dn.subtree="ou=(.*),ou=(.*),ou=adressbooks,o=basedn"
  by dn="uid=$1,ou=users,ispmanDomain=$2,o=ispman" write
  by * none

But it gives me access denied, cannot write to parent.

Has anyone had this problem before? Giving creation rights just bellow a
dn w/o giving the right to modify the dn?

Also, has anyone got a sample ACL for allowing modification of a dn
based on if you are the creator?

I would also like to thank Quanah Gibson-Mount and Steve Rigler for
answering my other question. 

Tarjei