[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for only creating entry

To: <ace@suares.nl>
Subject: Re: ACL for only creating entry
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 15 Dec 2003 14:26:04 +0100 (CET)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <200312150821.49167.ace@suares.nl>
References: <2048.209.16.240.20.1071481632.squirrel@mail.theoretic.com> <36568.131.175.154.56.1071485692.squirrel@webmail.sys-net.it> <200312150821.49167.ace@suares.nl>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
>> This rule is totally unnecessary.  It has nothing to do with
>> access to users, i.e entries below "ou=users,dc=theoretic,dc=com.
>
> See other mail.
>
>>
>> With the first rule on top you gave webregister write access
>> only to the "entry" meta-attribute, which is totally meaningless.
>
> Thank you!
> It's not so meaninless in my experience !

Not in general, but in this case, yes.

> But then again, I get fooled unlimitless by ACL's.

>
>>
>> Then webregister will have write access only below the
>> "ou=users,dc=example,dc=com" subtree.
>
> That's NOT the goal!
> The goal is that webregister can write something and then later NOT read
> it.

then do

access to dn.regex="uid=([^,]+),ou=users,dc=example,dc=com"
    by dn.exact="uid=webregister,..." =xcsw

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- ACL for only creating entry
  - From: <adamtheo@theoretic.com>
- Re: ACL for only creating entry
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: ACL for only creating entry
  - From: Ace Suares <ace@suares.nl>

Prev by Date: Re: encoding format for comments/notes/info attributes
Next by Date: Help
Index(es):
- Chronological
- Thread