[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Allowing users to add, but not delete, entries?
Am Thu, 03 Mar 2011 13:30:09 +0000
schrieb Gervase Markham <gerv@mozilla.org>:
> Hi,
>
> Summary: is it possible to configure access control such that users
> to can add, but not delete, entries?
>
> Details:
>
> My planned schema has a branch:
>
> ou=tags,dc=example,dc=com
>
> The entries below this are like this:
>
> objectClass=groupOfNames
> cn=sometagname
> member=<user dn 1>
> member=<user dn 2>
> member=<user dn 3>
> ...
>
> I have worked out how to make it so users can only add and remove
> themselves from a tag:
>
> access to dn.children="ou=tags,dc=example,dc=com" attrs=member,entry
> # Allow people to add and remove themselves from any other tag
> by dnattr=member selfwrite
> # Allow anyone to read
> by anonymous read
>
> So far so good, but I would like authenticated users to be able to
> add new entries (tags), and add themselves as members to them, but
> _not_ to be able to delete tags.
>
> Even better, the tag would be deletable, or even automatically
> removed, but only if the user removed their own name and there were
> no more members - i.e. it was empty. (I believe the member attribute
> is mandatory in groupOfNames, and I don't want it to be impossible
> for someone to remove their name because they are the only member!)
>
> This is difficult, because as far as I can see the "write" permission
> does not distinguish between adding and deleting.
>
> Can someone tell me if this is possible?
Yes this is possible, man slapd.access(5) in particular read on
privileges, as an example: access to foo by foobar =ar
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E