[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL: protect entry but not children


Is there any page with good explanation about ACL's ?

If not, my question is:

Given a subtree "dc=example,dc=com"
we want to be able to add sub-entries to that tree, but at the same 
time we want to protect the "dc=example,dc=com" itself.
If possible without naming all attributes.

a real-life problem (i.e. headache):

# this lets you auth
# and lets you add, modify and delete admins
access to  
   by group="group=managers,aservice=_managers,application=cc" write
   by anonymous auth

This ACL works, except that the entry itself can be modified, and if 
all leafs are deleted, the entry itself can be deleted too, which 
breaks the application entirely.

I tried dn.one, dn.base, dn.children.

I am using 2.0.23, which does support one, subtree, children, base, 
but not exact. If the use of these 'styles' is the problem, I know 
how to rewrite them to regular regular expressions.


Ace Suares, Internet Consultancy and Training
Keizersgracht 132,      1015 CW AMSTERDAM, NL
phone: 06 557 06 554    (+31 6 557 06 554) (voicebox)
fax: 08 48 707 705      (+31 84 870 770 5)
mailto:ace@suares.com   http://www.suares.com