[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL

To: Pierangelo Masarati <pmasarati@bci.it>
Subject: Re: ACL
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 04 Mar 2000 08:18:33 -0800
Cc: OpenLDAP-software <OpenLDAP-software@OpenLDAP.org>
In-reply-to: <38C0C323.B9324097@bci.it>

At 09:02 AM 3/4/00 +0100, Pierangelo Masarati wrote:
>It is not clear to me how can I allow some dn to add children
>entries to a parent entry, say
>
>cn=child,cn=parent,o=My Org.,c=IT
>
>without giving that dn write permission on all the parent
>entry attributes.

You can do this by only granting permission to the parent's
"children" psuedo attribute.

access to "cn=parent,o=My Org.,c=IT" attr=children
	by dn="cn=adder,o=My Org.,c=IT" write

access to "cn=child,cn=parent,o=My Org.,c=IT"
	by dn="cn=adder,o=My Org.,c=IT" write

This grants "cn=adder,o=My Org.,c=IT" access to add, modrdn,
delete the child to/from the parent and to write the children
themselves.  If you wanted to allow adder write access to
all children, you could replace the second ACL with:

access to ".*,cn=parent,o=My Org.,c=IT"
	by dn="cn=adder,o=My Org.,c=IT" write

References:
- ACL
  - From: Pierangelo Masarati <pmasarati@bci.it>

Prev by Date: Re: ACL
Next by Date: Question about Net-LDAPapi-1.43
Index(es):
- Chronological
- Thread