[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: subtree and children dnstyles
Admin Guide, 5.3.1:
To add or delete an entry, the subject must have write access to
the entry's entry attribute AND must have write access to the
entry's parent's children attribute.
Don't confuse the children attribute with the children scope.
And, to answer your scope question, the difference between
the subtree and children scopes is the base object.
Kurt
At 10:42 PM 6/1/2006, Jon Roberts wrote:
>I am interested in allowing users to write (delete) a particular branch of my DIT, which means the top node and everything below it. For example:
>
>dn: ou=Widgets, o=mentata.com
>objectclass: top
>objectclass: organizationalunit
>ou: Widgets
>
>dn: ou=C, ou=Widgets, o=mentata.com
>objectclass: top
>objectclass: organizationalunit
>ou: C
>
>dn: ou=X, ou=C, ou=Widgets, o=mentata.com
>objectclass: top
>objectclass: organizationalunit
>ou: X
>
>I want an authorized user to be able to delete all three entries. In my slapd.conf:
>
>access to dn.sub="ou=Widgets,o=mentata.com"
> by dn="uid=authorized,ou=People,o=mentata.com" write
> by * read
>
>My authorized identity gets an LDAP 50 (Insufficient Access Rights) error code when attempting to delete ou=Widgets, although there is no issue deleting C or X.
>
> From the slapd.access man page:
>
>sub (synonym of subtree) indicates all entries in the subtree at the <dnpattern>, children indicates all the entries below (subordinate to) the <dnpattern>
>
>What is the difference exactly? I would expect both of these to grant the privilege to delete entries C and X when used with the access control statement and data above, and was assuming that sub would further give access to the ou=Widgets node. Apparently that's wrong, so now I don't understand the distinction.
>
>Furthermore, is there a way to grant a <WHO> the ability to delete an entire branch, including the top node, without using regex style or multiple access control statements?
>
>Jon Roberts
>www.mentata.com