[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL, delete and children


I want to allow member of a group to add entries in for exemple dc=com but I want to allow deletion of dc=aa,dc=com only by
members of group dc=aa,dc=com

This doesn't seems to be possible as children attr is used for add and delete.

I tried this ACL:

#For creation in dc=XX,dc=YY tree and write access to dc=XX,dc=com
access to dn="dc=(.*),dc=(.*),o=sbuilders"
	by group="dc=$1,dc=$2,o=sbuilders" write
	by * none

#For creation in dc=YY
access to dn="dc=(.*),o=sbuilders"
	by group="cn=add-access,ge=tld,ou=groups,o=sbuilders" write
	by * none

Is there a way to do what I want  ?

If not, is it possible to add anothers attributes like children (may be children-add and children-delete) which will be tested
for add or delete operation before testing children attribute (I don't know if ACL design are parts of the ldap RFC or if it's
a "free" part).

Thank you.


Manuel GUESDON  -  SOFTWARE BUILDERS        <mguesdon@sbuilders.com>
http://www.sbuilders.com                        PGP Key Id: 12C3E391
PGP Signed/Encrypted mails prefered