[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL: protect entry but not children

To: openldap-software@OpenLDAP.org
Subject: Re: ACL: protect entry but not children
From: "Ace Suares" <ace@suares.com>
Date: Sat, 7 Sep 2002 16:26:32 -0400
Content-description: Mail message body
In-reply-to: <3D7A1568.13542.B40E96@localhost>

Allow me to try and answer my own question :-|

> Given a subtree "dc=example,dc=com"
> we want to be able to add sub-entries to that tree, but at the same 
> time we want to protect the "dc=example,dc=com" itself.
> If possible without naming all attributes.
> 
a real-life solution:

# this lets you auth
# and lets you modify existing admins
# the .one is to protect any (illegal) sublevels)
access to dn.one="users=managers,aservice=_managers,application=cc"
   by group="group=managers,aservice=_managers,application=cc" write
   by anonymous auth

# this lets you add and delete admins
access to dn="users=managers,aservice=_managers,application=cc" 
attrs=children
   by group="group=managers,aservice=_managers,application=cc" write

# This protects the entry
access to dn="users=managers,aservice=_managers,application=cc"
   by group="group=managers,aservice=_managers,application=cc" read

-------

Is this a good way to do it ?
Are there smarter ways ?

If you think it's the right solution, I'll make a faq entry for it.
(but with generalized identiefiers, like example.com)
_Ace

Follow-Ups:
- Re: ACL: protect entry but not children
  - From: "Ace Suares" <ace@suares.com>
- Re: ACL: protect entry but not children
  - From: Tony Earnshaw <tonni@billy.demon.nl>

References:
- ACL: protect entry but not children
  - From: "Ace Suares" <ace@suares.com>

Prev by Date: ACL: protect entry but not children
Next by Date: Re: ACL: protect entry but not children
Index(es):
- Chronological
- Thread