[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACLs that allows adding objects, but not deleting them, in a subtree?


I have two ACL-related problems.

 I'm creating a LDAP structure for a computer society where the members
 have to pay a member fee each year. We have a member registry right
 now (MySQL-based) that among other things store the history of the
 member. That is, each time a change is made to the registry, a log
 line is written to the MySQL database.

 As I'm converting the rest of the registry to a LDAP tree, I'd like
 to have the history as well in the tree.

 I'm thinking about adding the history as objects below the
 users. That is, if my users have dn's like:


 I'm planning to put their history as leafs under


 having the time of the history event as last part of the DN, like


 (Yeah, quite a heavy DN, but I won't have to type it in manually that
 many times).

 First of all, is this by some reason a outrageously stupid way to do
 it? :-)

 Seconds, since I like the idea that all operations are made bound as
 the user itself, I'd like a ACL that allows the users to put history
 entries under the ou=history tree, but not delete or modify existing
 history entries. This is because when the users use the web-based
 tool I'm writing to change parts of their own info (their shell,
 password, homePhone, etc.), a log entry should be written. However,
 they should not be able to delete log entries written by software or
 by administrators.

 Is this possible in some way?

 One solution is to use a application-specific DN that writes the log
 entry, but I don't like that idea. Ideally, I should be able to write
 a tool in a script language that can lie around on any filesystem
 without problems with passwords that only certain users may see.

 A similar problem. I'd like my users to be able to create groups, and
 edit them as well. This also means I'd like my users to be able to
 add entries under ou=Groups,dc=lysator,dc=liu,dc=se but not delete
 others (except for the ones they own themselves - I've found the ACL
 syntax that enables them to edit groups they own because of a owner
 attribute listing their DN. 

 Is this possible, or will I have to use a application-DN here?

Erik Forsberg                 http://www.lysator.liu.se/~forsberg/
GPG/PGP Key: 1024D/0BAC89D9