[Date Prev][Date Next]
Re: ACL, delete and children
At 06:40 PM 11/24/99 +0000, Manuel Guesdon wrote:
>I want to allow member of a group to add entries in for exemple dc=com but I want to allow deletion of dc=aa,dc=com only by
>members of group dc=aa,dc=com
The default model says if you have permission to delete entries
you could have added regardless if you have permission to modify
the entry itself.
You can compile with -DSLAPD_CHILD_MODIFICATION_WITH_ENTRY_ACL=1
to use a model which says that you can delete an entry if you
can modify it regardless of whether you could have added it.
>This doesn't seems to be possible as children attr is used for add and delete.
Actualy, "write" is used for add, delete, and modify.
>Is there a way to do what I want ?
Not out of the box.
>If not, is it possible to add anothers attributes like children (may be children-add and children-delete) which will be tested
>for add or delete operation before testing children attribute (I don't know if ACL design are parts of the ldap RFC or if it's
>a "free" part).
There is some work being done by the IETF LDAPext WG
concerning Access Control Information. We're currently
experimenting with draft specs in this area for OpenLDAP 2.0.
Kurt D. Zeilenga <firstname.lastname@example.org>
Net Boolean Incorporated <http://www.boolean.net/>