[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP create children only



Hi,

I would like to give a set of users the ability to create objects in the
directory under a specific dn.  It seems by reading the Admin Manual
(specifically the bottom of 8.3.1) that setting the children attribute I
can create correctly.  I do not wish that they can remove the DN after
they have added. So I can't just give them write access to the DN or
that will give them the ability to delete.  Am I missing something or is
this just not possible with the current ACL structure.

Eg.

olcAccess: {9} to dn="ou=groups,dc=example,dc=com" attrs=children by
dn.children="ou=people,dc=example,dc=com" write

So I would like to add a group,

  cn=foo,ou=groups,dc=example,dc=com

but not allow someone in ou=people,dc=example,dc=com to delete the DN
after it is created.

Thanks,
derek

-- 
---
Derek T. Yarnell
University of Maryland
Institute for Advanced Computer Studies