[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL, delete and children

To: Manuel Guesdon <ml@sbuilders.com>
Subject: Re: ACL, delete and children
From: "Kurt D. Zeilenga" <kurt@boolean.net>
Date: Wed, 24 Nov 1999 11:39:29 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <199911241840.TAA31643@shiva.sbuilders.com>

At 06:40 PM 11/24/99 +0000, Manuel Guesdon wrote:
>Hello,
>
>I want to allow member of a group to add entries in for exemple dc=com but I want to allow deletion of dc=aa,dc=com only by
>members of group dc=aa,dc=com

The default model says if you have permission to delete entries
you could have added regardless if you have permission to modify
the entry itself.

You can compile with -DSLAPD_CHILD_MODIFICATION_WITH_ENTRY_ACL=1
to use a model which says that you can delete an entry if you
can modify it regardless of whether you could have added it.

>This doesn't seems to be possible as children attr is used for add and delete.

Actualy, "write" is used for add, delete, and modify.

>Is there a way to do what I want  ?

Not out of the box.

>If not, is it possible to add anothers attributes like children (may be children-add and children-delete) which will be tested
>for add or delete operation before testing children attribute (I don't know if ACL design are parts of the ldap RFC or if it's
>a "free" part).

There is some work being done by the IETF LDAPext WG
concerning Access Control Information.  We're currently
experimenting with draft specs in this area for OpenLDAP 2.0.

Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>

References:
- ACL, delete and children
  - From: Manuel Guesdon <ml@sbuilders.com>

Prev by Date: Re: What is T.61 (Was: Chinese Character)
Next by Date: Re: What is T.61 (Was: Chinese Character)
Index(es):
- Chronological
- Thread