[Date Prev][Date Next]
ACL: protect entry but not children
Is there any page with good explanation about ACL's ?
If not, my question is:
Given a subtree "dc=example,dc=com"
we want to be able to add sub-entries to that tree, but at the same
time we want to protect the "dc=example,dc=com" itself.
If possible without naming all attributes.
a real-life problem (i.e. headache):
# this lets you auth
# and lets you add, modify and delete admins
by group="group=managers,aservice=_managers,application=cc" write
by anonymous auth
This ACL works, except that the entry itself can be modified, and if
all leafs are deleted, the entry itself can be deleted too, which
breaks the application entirely.
I tried dn.one, dn.base, dn.children.
I am using 2.0.23, which does support one, subtree, children, base,
but not exact. If the use of these 'styles' is the problem, I know
how to rewrite them to regular regular expressions.
Ace Suares, Internet Consultancy and Training
Keizersgracht 132, 1015 CW AMSTERDAM, NL
phone: 06 557 06 554 (+31 6 557 06 554) (voicebox)
fax: 08 48 707 705 (+31 84 870 770 5)