Re: deleting ACL

[Daniel Tiefnig <openldap@qmail.infonova.at>]

Alejandra Moreno wrote...:

> but this way you don't distinguish between writing and deleting!

please _read_ my answers.

thank you,
daniel

> At 13:00 14.01.2002 +0000, you wrote:
> 
>>Alejandra Moreno wrote...:
>> > And how can this be implemented for the LDAP entries?
>>
>>something like
>>
>>access to dn=".*,dc=parent,dc=com"
>>        by * write
>>
>>gives everybody write access to entries stored below
>>"dc=parent,dc=com", (e.g. "uid=foo,dc=parent,dc=com") but not to
>>"dc=parent,dc=com" it self. of course you can restrict access by
>>specifying something else than "*" in the second line..
>>
>>hth,
>>daniel
>>
>> > At 12:40 14.01.2002 +0000, you wrote:
>> >
>> >>Alejandra Moreno wrote...:
>> >>
>> >> > I'm not sure, but is there a way to create an ACL to
>> >> > distinguish between writing and deleting? I want to give
>> >> > writing permission, but not deleting permission. 
>> >>
>> >>depends on what you think that "writing" is.. if you want to
>> >>distinguish between creating and deleting, the answer should be
>> >>no, i think. but if you want to "write to" an entry (meaning you
>> >>want to change some of its attributes) thats a completely
>> >>different thing. access handling can be compared fairly straight
>> >>forward to UNIX file permissions in this case.. if you have
>> >>write access for the directory, you can add and delete all files
>> >>there. but you can change the _content_ of a file (if the file
>> >>permissions allow it) also if you do not have write permissions
>> >>to the directory. what means you may modify the file, but not
>> >>delete it.. (which is possibly what you want)