[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Allowing ou creation
Hi,
I got a hierarcy like this:
o=basedn
ou=adressbooks
ou=domain,ou=adressbooks,o=basedn.
ou=someuserid,ou=domain,ou=adressbooks,o=basedn.
Now, I do not want to give the user the opportunity to delete the whole
ou=domain,ou=adressbooks,o=basedn
but I would like to let the user create and control an ou=someuserid
bellow this ou.
The question then becomes:
a) If I make an ACL like this:
access to dn="ou=(.*),ou=adressbooks,o=basedn"
by dn="uid=(.*),ou=users,ispmanDomain=$1,o=basedn" write
by * none
Can the user then delete other entries bellow the ou=domain based on
this ACL?
I've tried this: (using read instead of write in the above ACL)
access to dn.subtree="ou=(.*),ou=(.*),ou=adressbooks,o=basedn"
by dn="uid=$1,ou=users,ispmanDomain=$2,o=ispman" write
by * none
But it gives me access denied, cannot write to parent.
Has anyone had this problem before? Giving creation rights just bellow a
dn w/o giving the right to modify the dn?
Also, has anyone got a sample ACL for allowing modification of a dn
based on if you are the creator?
I would also like to thank Quanah Gibson-Mount and Steve Rigler for
answering my other question.
Tarjei