[Date Prev][Date Next] [Chronological] [Thread] [Top]

One more ACL question


I have a tree where each ou has a manager attribute containing the DN of
users allowed to perform some administrative operations:

dn: ou=foo,o=home
ou: foo
objectClass: netExampleService
manager: uid=admin,ou=bar,o=home

I already have an ACL allowing managers to create and delete children in
the ou where they are listed as manager:

access to dn.regex="(ou=.+,o=home)$" attrs=children
    by group/netExampleService/manager.expand="$1" write stop
    by * read stop

Now I would like to restrict the delete operation to children that do
not have a given attribute set. i.e.: I want the ACL above to apply only
on children matching the filter (!(locked=TRUE))

Is it possible? 

If it is not, is there a way to give the addition right without giving
the delete right?

Emmanuel Dreyfus