[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP create children only

> Hi,
> I would like to give a set of users the ability to create objects in the
> directory under a specific dn.  It seems by reading the Admin Manual
> (specifically the bottom of 8.3.1) that setting the children attribute I
> can create correctly.  I do not wish that they can remove the DN after
> they have added. So I can't just give them write access to the DN or
> that will give them the ability to delete.  Am I missing something or is
> this just not possible with the current ACL structure.
> Eg.
> olcAccess: {9} to dn="ou=groups,dc=example,dc=com" attrs=children by
> dn.children="ou=people,dc=example,dc=com" write
> So I would like to add a group,
>   cn=foo,ou=groups,dc=example,dc=com
> but not allow someone in ou=people,dc=example,dc=com to delete the DN
> after it is created.

man slapd.access(5), note the possibility to split write (w) into add (a)
and delete (z).