[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for only creating entry

To: openldap-software@OpenLDAP.org
Subject: Re: ACL for only creating entry
From: Ace Suares <ace@suares.nl>
Date: Sat, 13 Dec 2003 19:58:44 -0400
Content-description: clearsigned data
Content-disposition: inline
In-reply-to: <1118.209.16.240.20.1071315541.squirrel@mail.theoretic.com>
Organization: Ace Suares' Internet Consultancy
References: <1118.209.16.240.20.1071315541.squirrel@mail.theoretic.com>
User-agent: KMail/1.5.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

what I once did was this:

access to dn.regex="uid=(.+),ou=users,dc=example,dc=com"
	by dn.regex="uid=$1,ou=users,dc=example,dc=com" read
	by * none

access to dn.exact="ou=users,dc=example,dc=com" attrs=children
	by dn.exact="%WEBSERVER%" write
	by * none

I think that it worked. But then later, it seemd not to work.

The idea was: some user (in this case your webserver account) can make entries 
under ou=users,dc=example,dc=com.
But at the same time, the new entry doesn't exist yet, and won't match the 
first rule.

Hence, creation is possible, but modifaction or deletion not. In this example. 
users can read their own entry once created.

But I am not sure if this or a similar solution worked...

_Ace

website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/26e1y7boE8xtIjURApjPAKCJ/M94uZ8UsnTxA8GB2ml5nAERnQCdGqRk
zKgGL2kNxtq1nbueMUo57qE=
=Tbz8
-----END PGP SIGNATURE-----

References:
- ACL for only creating entry
  - From: <adamtheo@theoretic.com>

Prev by Date: Re: no structuralObject in entry?
Next by Date: ACL for only creating entry
Index(es):
- Chronological
- Thread