[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: child modification

> I think it would be wise to determine if current mechanisms
> can support your needs.  If they cannot, then we should
> discuss how best to provide the desired functionality.

Okay, so I'll expand a bit on what I need :

Basically our setup is a database of people's mail addresses.
There are several administrators that deal with this database, because
people are using different pop3 servers and thus are assigned addresses
by different people.

here are my rules:

### password
access to dn=".*,o=Gouv,c=FR"
        by self                 write
        by dnattr=manager       write
        by addr=       compare
	by dn=.*		none
### Admins
# add
access to dn="ou=Admin,ou=Education,o=Gouv,c=FR"
        by dnattr=manager       write
        by addr=       read
        by dn=.*                none

# delete, rename and modify
access to dn="[^,]*,ou=Admin,ou=Education,o=Gouv,c=FR"
        by dnattr=manager       write
        by addr=       read
        by dn=.*                none

### Mail entries
# new entries
access to dn="ou=Adc,ou=Education,o=Gouv,c=FR"
        by dn="cn=[^,]*,ou=Admin,ou=Education,o=Gouv,c=FR"      write
        by dnattr=manager                                       write
        by addr=       read
       by dn=.*                none
# delete, raname and modify by the manager
access to dn="[^,]*,ou=Adc,ou=Education,o=Gouv,c=FR"
        by dnattr=manager       write
        by addr=       read
        by dn=.*                none

In this setup, everything is stored in a single level as children of

The entries can be created by any admin. Once created, the person
is assigned to that manager and only this manager is allowed to change
the entry, or remove it. The manager can also shift administration of
this person to another manager by changing the "manager" attribute.

But with the standard setup, as any admin can create an entry, any admin
would also be able to delete any entry, which is unacceptable.

Now you'll ask, why didn't I use subtrees, with each subtree belonging
to an administrator which does what it wants with its entries ?
Two reasons:
 - with this second setup, when you create an adminstrator you'd also have
   to create the start of the subtree for this administrator ;
 - when you want to move an entry from one administrator to another, it
   involves BOTH of them which is cumbersome.
   Besides moddn doesn't seem to exist in 1.2.1 and modrdn is buggy
   and has cache coherency problems.

Don't you agree that having everything "flat" is much simpler in
is exactly what I require ?

> The old "entry" attribute approach had numerous shortcomings.  The
> largest in my eyes is that it doesn't restrict the renamer to particular
> subtrees.

Well, it does if you only use modrdn which is the only thing I have
access to in 1.2.1

> That is, if given the right to rename, I can rename it
> under any parent.  The "children" approach resolves this be requiring
> you to have permission to write access to both the old and new parents.
> (analogous to moving a file between directories in Unix).

If you follow the unix analogy, what I'd like is a directory
like /tmp which has rights rwxrwxrwt, t meaning only the owner can delete it.

> Another issue is that administrators may forget to restrict
> access to this attribute and unknownly grant rename privs to
> their users (self write).

Surely misconfiguration is not a valid reason for restricting 
the available options ?

> In general, it's better to implement a policy using ACLs than to let
> ACLs define your policy.

Yes, and I had defined my policy as outlined above, only the ACLs
wouldn't let me do it, so I was about to change the code when I saw

Well, does this make any sense at all ?