[Date Prev][Date Next] [Chronological] [Thread] [Top]

subtree and children dnstyles



I am interested in allowing users to write (delete) a particular branch of my DIT, which means the top node and everything below it. For example:

dn: ou=Widgets, o=mentata.com
objectclass: top
objectclass: organizationalunit
ou: Widgets

dn: ou=C, ou=Widgets, o=mentata.com
objectclass: top
objectclass: organizationalunit
ou: C

dn: ou=X, ou=C, ou=Widgets, o=mentata.com
objectclass: top
objectclass: organizationalunit
ou: X

I want an authorized user to be able to delete all three entries. In my slapd.conf:

access to dn.sub="ou=Widgets,o=mentata.com"
    by dn="uid=authorized,ou=People,o=mentata.com" write
    by * read

My authorized identity gets an LDAP 50 (Insufficient Access Rights) error code when attempting to delete ou=Widgets, although there is no issue deleting C or X.

From the slapd.access man page:

sub (synonym of subtree) indicates all entries in the subtree at the <dnpattern>, children indicates all the entries below (subordinate to) the <dnpattern>

What is the difference exactly? I would expect both of these to grant the privilege to delete entries C and X when used with the access control statement and data above, and was assuming that sub would further give access to the ou=Widgets node. Apparently that's wrong, so now I don't understand the distinction.

Furthermore, is there a way to grant a <WHO> the ability to delete an entire branch, including the top node, without using regex style or multiple access control statements?

Jon Roberts
www.mentata.com