[Date Prev][Date Next] [Chronological] [Thread] [Top]

subtree and children dnstyles

To: OpenLDAP-software@OpenLDAP.org
Subject: subtree and children dnstyles
From: Jon Roberts <jon@jonanddeb.net>
Date: Thu, 01 Jun 2006 23:42:31 -0600
User-agent: Mozilla Thunderbird 1.0.6-1.1.fc4 (X11/20050720)

I am interested in allowing users to write (delete) a particular branch of my DIT, which means the top node and everything below it. For example:

dn: ou=Widgets, o=mentata.com
objectclass: top
objectclass: organizationalunit
ou: Widgets

dn: ou=C, ou=Widgets, o=mentata.com
objectclass: top
objectclass: organizationalunit
ou: C

dn: ou=X, ou=C, ou=Widgets, o=mentata.com
objectclass: top
objectclass: organizationalunit
ou: X

I want an authorized user to be able to delete all three entries. In my slapd.conf:

access to dn.sub="ou=Widgets,o=mentata.com"
    by dn="uid=authorized,ou=People,o=mentata.com" write
    by * read

My authorized identity gets an LDAP 50 (Insufficient Access Rights) error code when attempting to delete ou=Widgets, although there is no issue deleting C or X.

From the slapd.access man page:

sub (synonym of subtree) indicates all entries in the subtree at the <dnpattern>, children indicates all the entries below (subordinate to) the <dnpattern>

What is the difference exactly? I would expect both of these to grant the privilege to delete entries C and X when used with the access control statement and data above, and was assuming that sub would further give access to the ou=Widgets node. Apparently that's wrong, so now I don't understand the distinction.

Furthermore, is there a way to grant a <WHO> the ability to delete an entire branch, including the top node, without using regex style or multiple access control statements?

Jon Roberts
www.mentata.com

Follow-Ups:
- Re: subtree and children dnstyles
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: search mechanism in openldap
Next by Date: install - make test - bind slapd problem
Index(es):
- Chronological
- Thread