[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP create children only
> Hi,
>
> I would like to give a set of users the ability to create objects in the
> directory under a specific dn. It seems by reading the Admin Manual
> (specifically the bottom of 8.3.1) that setting the children attribute I
> can create correctly. I do not wish that they can remove the DN after
> they have added. So I can't just give them write access to the DN or
> that will give them the ability to delete. Am I missing something or is
> this just not possible with the current ACL structure.
>
> Eg.
>
> olcAccess: {9} to dn="ou=groups,dc=example,dc=com" attrs=children by
> dn.children="ou=people,dc=example,dc=com" write
>
> So I would like to add a group,
>
> cn=foo,ou=groups,dc=example,dc=com
>
> but not allow someone in ou=people,dc=example,dc=com to delete the DN
> after it is created.
man slapd.access(5), note the possibility to split write (w) into add (a)
and delete (z).
p.