[Date Prev][Date Next]
Re: Allowing users to add, but not delete, entries?
Am Thu, 03 Mar 2011 13:30:09 +0000
schrieb Gervase Markham <firstname.lastname@example.org>:
> Summary: is it possible to configure access control such that users
> to can add, but not delete, entries?
> My planned schema has a branch:
> The entries below this are like this:
> member=<user dn 1>
> member=<user dn 2>
> member=<user dn 3>
> I have worked out how to make it so users can only add and remove
> themselves from a tag:
> access to dn.children="ou=tags,dc=example,dc=com" attrs=member,entry
> # Allow people to add and remove themselves from any other tag
> by dnattr=member selfwrite
> # Allow anyone to read
> by anonymous read
> So far so good, but I would like authenticated users to be able to
> add new entries (tags), and add themselves as members to them, but
> _not_ to be able to delete tags.
> Even better, the tag would be deletable, or even automatically
> removed, but only if the user removed their own name and there were
> no more members - i.e. it was empty. (I believe the member attribute
> is mandatory in groupOfNames, and I don't want it to be impossible
> for someone to remove their name because they are the only member!)
> This is difficult, because as far as I can see the "write" permission
> does not distinguish between adding and deleting.
> Can someone tell me if this is possible?
Yes this is possible, man slapd.access(5) in particular read on
privileges, as an example: access to foo by foobar =ar
Dieter Klünter | Systemberatung
GPG Key ID:DA147B05