[Date Prev][Date Next] [Chronological] [Thread] [Top]

Allowing ou creation

To: openldap-software@OpenLDAP.org
Subject: Allowing ou creation
From: Tarjei Huse <tarjei@nu.no>
Date: Thu, 13 Nov 2003 12:32:06 +0100

Hi,

I got a hierarcy like this:

o=basedn
ou=adressbooks
ou=domain,ou=adressbooks,o=basedn.
ou=someuserid,ou=domain,ou=adressbooks,o=basedn.

Now, I do not want to give the user the opportunity to delete the whole
ou=domain,ou=adressbooks,o=basedn

but I would like to let the user create and control an ou=someuserid
bellow this ou. 

The question then becomes:

a) If I make an ACL like this:

access to dn="ou=(.*),ou=adressbooks,o=basedn"
  by dn="uid=(.*),ou=users,ispmanDomain=$1,o=basedn" write
  by * none

Can the user then delete other entries bellow the ou=domain based on
this ACL? 

I've tried this: (using read instead of write in the above ACL)

access to dn.subtree="ou=(.*),ou=(.*),ou=adressbooks,o=basedn"
  by dn="uid=$1,ou=users,ispmanDomain=$2,o=ispman" write
  by * none

But it gives me access denied, cannot write to parent.

Has anyone had this problem before? Giving creation rights just bellow a
dn w/o giving the right to modify the dn?

Also, has anyone got a sample ACL for allowing modification of a dn
based on if you are the creator?

I would also like to thank Quanah Gibson-Mount and Steve Rigler for
answering my other question. 

Tarjei

Follow-Ups:
- Re: Allowing ou creation
  - From: Ace Suares <ace@suares.nl>

Prev by Date: (no subject)
Next by Date: tls
Index(es):
- Chronological
- Thread