[Date Prev][Date Next] [Chronological] [Thread] [Top]

One more ACL question

To: openldap-software@openldap.org
Subject: One more ACL question
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Sun, 6 Jul 2008 12:23:15 +0200
User-agent: MacSOUP/2.7 (unregistered for 533 days)

Hello

I have a tree where each ou has a manager attribute containing the DN of
users allowed to perform some administrative operations:

dn: ou=foo,o=home
ou: foo
objectClass: netExampleService
manager: uid=admin,ou=bar,o=home

I already have an ACL allowing managers to create and delete children in
the ou where they are listed as manager:

access to dn.regex="(ou=.+,o=home)$" attrs=children
    by group/netExampleService/manager.expand="$1" write stop
    by * read stop

Now I would like to restrict the delete operation to children that do
not have a given attribute set. i.e.: I want the ACL above to apply only
on children matching the filter (!(locked=TRUE))

Is it possible? 

If it is not, is there a way to give the addition right without giving
the delete right?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

Follow-Ups:
- Re: One more ACL question
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: incompatible access control between versions
Next by Date: cn=config multimaster olcAuthzRegexp not working
Index(es):
- Chronological
- Thread