[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for only creating entry

To: openldap-software@OpenLDAP.org
Subject: Re: ACL for only creating entry
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Sun, 14 Dec 2003 10:31:14 +0100
In-reply-to: <1343.209.16.240.20.1071385387.squirrel@mail.theoretic.com>
Organization: Billy
References: <1343.209.16.240.20.1071385387.squirrel@mail.theoretic.com>

søn, 14.12.2003 kl. 08.03 skrev adamtheo@theoretic.com:

> I had to change the below ACL suggestion slightly, replacing your "exact"
> with "base" (otherwise openldap wouldn't accept it), but no success. The
> account webregister is not able to see any of the children entries in the
> diorectory, as intended, but it is not able to create them at all. I get
> permission denied's.

Dunno if it helps, but I've always found ACLs the most exasperating and
difficult part of Openldap. I've also found that to give express
permissions to any parent tree and subtree, I have to enable this
expressly in my ACLs (don't forget line wrapping below):

access to dn=ou=contacts,dc=billy,dc=demon,dc=nl
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
write
  by * read

access to dn=ou=contacts,dc=billy,dc=demon,dc=nl
  attrs=children
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
write
  by * read

This is just an example, Ace's fancy stuff, dnregexps etc., comes in
addition.

--Tonni

-- 
mail: billy - at - billy.demon.nl
http://billy.demon.nl

References:
- ACL for only creating entry
  - From: <adamtheo@theoretic.com>

Prev by Date: Re: Now OT: RE: stable?
Next by Date: Re: ACL for only creating entry
Index(es):
- Chronological
- Thread