[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACLs that allows adding objects, but not deleting them, in a subtree?

To: openldap-software@OpenLDAP.org
Subject: ACLs that allows adding objects, but not deleting them, in a subtree?
From: Erik Forsberg <forsberg+olsoftware02@lysator.liu.se>
Date: 08 Jan 2003 19:59:29 +0100
User-agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7

Hi!

I have two ACL-related problems.

1)
I'm creating a LDAP structure for a computer society where the members
have to pay a member fee each year. We have a member registry right
now (MySQL-based) that among other things store the history of the
member. That is, each time a change is made to the registry, a log
line is written to the MySQL database.

As I'm converting the rest of the registry to a LDAP tree, I'd like
to have the history as well in the tree.

I'm thinking about adding the history as objects below the
users. That is, if my users have dn's like:

uid=forsberg,ou=People,dc=lysator,dc=liu,dc=se

I'm planning to put their history as leafs under

ou=history,uid=forsberg,ou=People,dc=lysator,dc=liu,dc=se

having the time of the history event as last part of the DN, like
this:

liuLysatorHistoryEntryTime=20030108195200Z,ou=history,uid=forsberg,ou=People,dc=lysator,dc=liu,dc=se

(Yeah, quite a heavy DN, but I won't have to type it in manually that
many times).

First of all, is this by some reason a outrageously stupid way to do
it? :-)

Seconds, since I like the idea that all operations are made bound as
the user itself, I'd like a ACL that allows the users to put history
entries under the ou=history tree, but not delete or modify existing
history entries. This is because when the users use the web-based
tool I'm writing to change parts of their own info (their shell,
password, homePhone, etc.), a log entry should be written. However,
they should not be able to delete log entries written by software or
by administrators.

Is this possible in some way?

One solution is to use a application-specific DN that writes the log
entry, but I don't like that idea. Ideally, I should be able to write
a tool in a script language that can lie around on any filesystem
without problems with passwords that only certain users may see.

2)
A similar problem. I'd like my users to be able to create groups, and
edit them as well. This also means I'd like my users to be able to
add entries under ou=Groups,dc=lysator,dc=liu,dc=se but not delete
others (except for the ones they own themselves - I've found the ACL
syntax that enables them to edit groups they own because of a owner
attribute listing their DN.

Is this possible, or will I have to use a application-DN here?

Thanks,
\EF
--
Erik Forsberg http://www.lysator.liu.se/~forsberg/
GPG/PGP Key: 1024D/0BAC89D9

Prev by Date: Re: Monitor Backend
Next by Date: Openldap 2.1.12 vs 2.0.27
Index(es):
- Chronological
- Thread