[Date Prev][Date Next] [Chronological] [Thread] [Top]

question about the draft acl

I am developing the draft-ietf-ldapext-acl-model-07.txt for openldap
but I have the following question about the acl
my acl as follow--
acl:subtree#grant:d#[entry]#group:cn=user,o=org,o=tw       (1)
acl:subtree#grant:d#[entry]#subtree:o=tw                   (2)
acl:subtree#deny:d#[entry]#subtree:o=ncu,o=edu,o=tw        (3)
I am bind as "o=ncu,o=edu,o=tw"
according to the document draft-ietf-ldapext-acl-model-07.txt
can I delete the child of "o=edu,o=tw" ?
*****  note: "o=ncu,o=edu,o=tw" is a member of group "cn=user,o=org,o=tw" *****
from role (1) I can delete the child of "o=edu,o=tw"
from role (3) I can't delete the child of "o=edu,o=tw"
from role (2) i can delete the child of "o=edu,o=tw"
but the "group" is more specific then "subtree"
but bind name "o=ncu,o=edu,o=tw" is more -close- "o=edu,o=tw" then "o=tw"
can somebody give me some hit
thanks a lot