[Date Prev][Date Next]
RE: ACL changes for add/delete/rename and back-shell
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> At 11:41 AM 2002-10-08, Howard Chu wrote:
> >What does entry write access mean when adding an entry?
> This lets you set up an ACL that says someone can/cannot
> create a specific entry?
> access to dn.one="ou=people,o=foo" attr=entry
> by dn="ou=manager,o=foo" write
> by * read
> means that only "ou=manager,o=foo" can add person objects
> directly under "ou=people,o=foo" (assuming "ou=manager,o=foo"
> also has "children" write access to "ou=people,o=foo").
That all sounds good, but it also sounds like extra rules are now needed.
I.e., if I have an existing set of ACLs that grants
access to dn="ou=people,o=foo" attr=children
by dn="ou=manager,o=foo" write
by * read
but I don't have the corresponding attr=entry ACL from above, then
"ou=manager,o=foo" can't actually create any children of "ou=people,o=foo" ?
It seems that attr=children ACLs are obsoleted by this change.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support