[Date Prev][Date Next]
RE: ACL changes for add/delete/rename and back-shell
At 11:41 AM 2002-10-08, Howard Chu wrote:
>What does entry write access mean when adding an entry? This lets you set up an ACL that says someone can/cannot create a specific entry?
access to dn.one="ou=people,o=foo" attr=entry filter=(objectClass=person)
by dn="ou=manager,o=foo" write
by * read
means that only "ou=manager,o=foo" can add person objects
directly under "ou=people,o=foo" (assuming "ou=manager,o=foo"
also has "children" write access to "ou=people,o=foo").
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>> -----Original Message-----
>> From: owner-openldap-devel@OpenLDAP.org
>> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt
>> D. Zeilenga
>> Sent: Tuesday, October 08, 2002 11:16 AM
>> To: openldap-devel@OpenLDAP.org
>> Subject: ACL changes for add/delete/rename and back-shell
>> I've tweaked the ACL system for both back-bdb and back-ldbm
>> to require "entry" write access to the entry being added,
>> deleted, or renamed. Write access to the parent's (or parents')
>> "children" is still required. This, especially when combined
>> with the filter clause, can provide finer grained control
>> on who can add, delete, rename what where.
>> I've also modified back-shell to provide "entry-level"
>> ACLs for all operations. This likely should be extended
>> to other programmable backends (an exercise I will leave
>> to others).