Re: ACL : give a user the right to create objects, but to modify only those he created

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

François Beretti writes:
>Hallvard B Furuseth wrote:
>>See OPERATION REQUIREMENTS in slapd.access(5):
>>
>>     The add operation requires  write  (=w)  privileges  on  the
>>     pseudo-attribute  entry  of the entry being added, and write
>>     (=w) privileges on  the  pseudo-attribute  children  of  the
>>     entry's parent.
>>
>>     The modify operation requires write (=w) privileges  on  the
>>     attibutes being modified.
>>
> According what you say, the right to add an entry implies the right to 
> modify it and to delete it.
> So if every user can create these entries, then every user can delete it.

Ouch - Add access does include Delete access.

Modify, no: to modify you need access to the individual attributes, but
not to 'entry'.  To add you need the opposite: access to 'entry' but not
to the individual attributes (plus 'children' of the parent).  At least
that's how I read it.


However, I don't think it matters.  I haven't time to test it now, but
this looks like it should work - since 'add' access seems to be checked
against the entry about to be added:

# Assuming this is where you want to allow people to add entries:
access	to dn.exact=ou=foo,dc=enatel,dc=com attrs=children
	by users write
	by * read

access	to dn.onelevel=ou=foo,dc=enatel,dc=com
           filter=(objectClass=inetOrgPerson or whatever)
	by dnattr=creatorsName write
	by * read

access	to * by * read

-- 
Hallvard