[Date Prev][Date Next]
RE: ACL changes for add/delete/rename and back-shell
At 12:08 PM 2002-10-08, Howard Chu wrote:
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>> At 11:41 AM 2002-10-08, Howard Chu wrote:
>> >What does entry write access mean when adding an entry?
>> This lets you set up an ACL that says someone can/cannot
>> create a specific entry?
>> access to dn.one="ou=people,o=foo" attr=entry
>> by dn="ou=manager,o=foo" write
>> by * read
>> means that only "ou=manager,o=foo" can add person objects
>> directly under "ou=people,o=foo" (assuming "ou=manager,o=foo"
>> also has "children" write access to "ou=people,o=foo").
>That all sounds good, but it also sounds like extra rules are now needed.
>I.e., if I have an existing set of ACLs that grants
> access to dn="ou=people,o=foo" attr=children
> by dn="ou=manager,o=foo" write
> by * read
>but I don't have the corresponding attr=entry ACL from above, then
>"ou=manager,o=foo" can't actually create any children of "ou=people,o=foo" ?
>It seems that attr=children ACLs are obsoleted by this change.
No. attr=children allows one to control entry creation based
upon contents of the parent. attr=entry doesn't replace that.