[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL changes for add/delete/rename and back-shell

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]

> At 11:41 AM 2002-10-08, Howard Chu wrote:
> >What does entry write access mean when adding an entry?
> This lets you set up an ACL that says someone can/cannot
> create a specific entry?
> Yes.
>   access to dn.one="ou=people,o=foo" attr=entry
> filter=(objectClass=person)
>     by dn="ou=manager,o=foo" write
>     by * read
> means that only "ou=manager,o=foo" can add person objects
> directly under "ou=people,o=foo" (assuming "ou=manager,o=foo"
> also has "children" write access to "ou=people,o=foo").

That all sounds good, but it also sounds like extra rules are now needed.
I.e., if I have an existing set of ACLs that grants

	access to dn="ou=people,o=foo" attr=children
	   by dn="ou=manager,o=foo" write
	   by * read

but I don't have the corresponding attr=entry ACL from above, then
"ou=manager,o=foo" can't actually create any children of "ou=people,o=foo" ?

It seems that attr=children ACLs are obsoleted by this change.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support