[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL: protect entry but not children

To: openldap-software@OpenLDAP.org
Subject: ACL: protect entry but not children
From: "Ace Suares" <ace@suares.com>
Date: Sat, 7 Sep 2002 15:04:08 -0400
Content-description: Mail message body

Hi,

Is there any page with good explanation about ACL's ?

If not, my question is:

Given a subtree "dc=example,dc=com"
we want to be able to add sub-entries to that tree, but at the same 
time we want to protect the "dc=example,dc=com" itself.
If possible without naming all attributes.

a real-life problem (i.e. headache):

# this lets you auth
# and lets you add, modify and delete admins
access to  
   dn.subtree="users=managers,aservice=_managers,application=cc"
   by group="group=managers,aservice=_managers,application=cc" write
   by anonymous auth

This ACL works, except that the entry itself can be modified, and if 
all leafs are deleted, the entry itself can be deleted too, which 
breaks the application entirely.

I tried dn.one, dn.base, dn.children.

I am using 2.0.23, which does support one, subtree, children, base, 
but not exact. If the use of these 'styles' is the problem, I know 
how to rewrite them to regular regular expressions.

TIA,
Ace


-- 
Ace Suares, Internet Consultancy and Training
Keizersgracht 132,      1015 CW AMSTERDAM, NL
phone: 06 557 06 554    (+31 6 557 06 554) (voicebox)
fax: 08 48 707 705      (+31 84 870 770 5)
mailto:ace@suares.com   http://www.suares.com

Follow-Ups:
- Re: ACL: protect entry but not children
  - From: "Ace Suares" <ace@suares.com>

Prev by Date: RE: Backend databases -- what are the differences?
Next by Date: Re: ACL: protect entry but not children
Index(es):
- Chronological
- Thread