RE: ACL changes for add/delete/rename and back-shell

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 12:08 PM 2002-10-08, Howard Chu wrote:
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>
>> At 11:41 AM 2002-10-08, Howard Chu wrote:
>> >What does entry write access mean when adding an entry?
>> This lets you set up an ACL that says someone can/cannot
>> create a specific entry?
>>
>> Yes.
>>   access to dn.one="ou=people,o=foo" attr=entry
>> filter=(objectClass=person)
>>     by dn="ou=manager,o=foo" write
>>     by * read
>>
>> means that only "ou=manager,o=foo" can add person objects
>> directly under "ou=people,o=foo" (assuming "ou=manager,o=foo"
>> also has "children" write access to "ou=people,o=foo").
>
>That all sounds good, but it also sounds like extra rules are now needed.
>I.e., if I have an existing set of ACLs that grants
>
>        access to dn="ou=people,o=foo" attr=children
>           by dn="ou=manager,o=foo" write
>           by * read
>
>but I don't have the corresponding attr=entry ACL from above, then
>"ou=manager,o=foo" can't actually create any children of "ou=people,o=foo" ?

Correct.

>It seems that attr=children ACLs are obsoleted by this change.

No.  attr=children allows one to control entry creation based
upon contents of the parent.  attr=entry doesn't replace that.