[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
subtree and children dnstyles
I am interested in allowing users to write (delete) a particular branch
of my DIT, which means the top node and everything below it. For example:
dn: ou=Widgets, o=mentata.com
objectclass: top
objectclass: organizationalunit
ou: Widgets
dn: ou=C, ou=Widgets, o=mentata.com
objectclass: top
objectclass: organizationalunit
ou: C
dn: ou=X, ou=C, ou=Widgets, o=mentata.com
objectclass: top
objectclass: organizationalunit
ou: X
I want an authorized user to be able to delete all three entries. In my
slapd.conf:
access to dn.sub="ou=Widgets,o=mentata.com"
by dn="uid=authorized,ou=People,o=mentata.com" write
by * read
My authorized identity gets an LDAP 50 (Insufficient Access Rights)
error code when attempting to delete ou=Widgets, although there is no
issue deleting C or X.
From the slapd.access man page:
sub (synonym of subtree) indicates all entries in the subtree at the
<dnpattern>, children indicates all the entries below (subordinate to)
the <dnpattern>
What is the difference exactly? I would expect both of these to grant
the privilege to delete entries C and X when used with the access
control statement and data above, and was assuming that sub would
further give access to the ou=Widgets node. Apparently that's wrong, so
now I don't understand the distinction.
Furthermore, is there a way to grant a <WHO> the ability to delete an
entire branch, including the top node, without using regex style or
multiple access control statements?
Jon Roberts
www.mentata.com