[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: "children" keyword in the field <what> of an ACL

Thank you for your answer, Edward

I was talking about the attrs=children

The objectclass name I was referring to was the one in this text extracted
from the slapd.access man page :

       The statement attrs=<attrlist> selects the attributes the access
control rule applies to.  It is a comma-
       separated  list  of attribute types, plus the special names entry,
indicating access to the entry itself,
       and children, indicating access to the entry's children. ObjectClass
names may also be specified in  this
       list, which will affect all the attributes that are required and/or
allowed by that objectClass.

in fact I hadn't well understood this definition, in fact the objectclass
name is a kind of alias for the attributes set it brings to the entry

so here is my problem :

I want to give to each person of my directory (so each entry implementing
the "person" objectclass) some rights on the entries of their own subtree,
depending on which objectclass the entry implements

for exemple, if every user has sub-entries of the class "storage", I want
the users to have read access on their 'storage' entries
same for other sub-entries, implementing objectclass "parameter" on which I
want the user to have write access (but only for their own subtree)

That doesn't seem to be possible at the moment...

Francois Beretti

-----Message d'origine-----
De : owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]De la part de Edward Rudd
Envoyé : jeudi 4 septembre 2003 21:42
À : François Beretti
Cc : openldap-software@OpenLDAP.org
Objet : Re: "children" keyword in the field <what> of an ACL

Which "children" are you you referencing?
in the context of dn.children you are specifying that you are setting
ACLs for the children of this entry,  all children, not just direct
children, for just direct children use one.
in the context of attrs=children this is pretty much the same AFAIK.. I
use this in the setup of a private addressbook, where I give the user
permission to write to children of his entry to create the address book
you can't specify an objectClass in what.. you can specify that some dn
can read or write the objectClass attribute, but you can not specify oh
only let this user edit objectClasses of this type.

On Thu, 2003-09-04 at 09:23, François Beretti wrote:
> hello all
> I am not sure to understand the meaning of the "children" keyword in the
> field <what> of an ACL
> 1) first, is this word talking about direct children, or any entry in the
> subtree ?
> 2) then, if I specify an objectclass name with this keyword, will the
> only be the children implementing the specified objectclass ? or will it
> the children of any entry of a such objectclass ?
> thank you very much
> Francois Beretti
> ____________
> Virus checked by G DATA AntiVirusKit
> Version: AVK 12.0.547 from 27.08.2003
> Virus news: www.antiviruslab.com
Edward Rudd <eddie@omegaware.com>
Home Page <http://urkle.drip.ws/>

Virus checked by G DATA AntiVirusKit
Version: AVK 12.0.547 from 27.08.2003
Virus news: www.antiviruslab.com