[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: One more ACL question

To: openldap-software@openldap.org
Subject: Re: One more ACL question
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Sun, 6 Jul 2008 20:15:59 +0200
In-reply-to: <1ijnoob.w1qwzhfepnavM%manu@netbsd.org>
User-agent: MacSOUP/2.7 (unregistered for 534 days)

Emmanuel Dreyfus <manu@netbsd.org> wrote:

> If it is not, is there a way to give the addition right without giving
> the delete right?

Following up myself:

Yes, it seems possible, according to the documentation
in order to add, one need write access to 
- attrs=childrens of the parent

in order to delete, one need write access to 
- attrs=childrens of the parent
- attrs=entry of the entry to be deleted

So it seems possible to do what I'm looking for, by using two ACL. Does
something like this look reasonable?

access to dn.regex="(ou=.+,o=home)$" attrs=children
    by group/netExampleService/manager.expand="$1" write stop
    by * read stop

access to filter="(!(locked=TRUE))" attrs=entry
    by group/netExampleService/manager write stop
    by * read stop

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

References:
- One more ACL question
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: cn=config multimaster olcAuthzRegexp not working
Next by Date: Inappropriate matching (18): additional info: modify/delete: postalAddress: no equality
Index(es):
- Chronological
- Thread