[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP create children only

To: derek@umiacs.umd.edu
Subject: Re: OpenLDAP create children only
From: masarati@aero.polimi.it
Date: Sat, 27 Aug 2011 06:47:25 +0200 (CEST)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <4E58701F.8060201@umiacs.umd.edu>
References: <4E58701F.8060201@umiacs.umd.edu>
User-agent: SquirrelMail/1.4.15

> Hi,
>
> I would like to give a set of users the ability to create objects in the
> directory under a specific dn.  It seems by reading the Admin Manual
> (specifically the bottom of 8.3.1) that setting the children attribute I
> can create correctly.  I do not wish that they can remove the DN after
> they have added. So I can't just give them write access to the DN or
> that will give them the ability to delete.  Am I missing something or is
> this just not possible with the current ACL structure.
>
> Eg.
>
> olcAccess: {9} to dn="ou=groups,dc=example,dc=com" attrs=children by
> dn.children="ou=people,dc=example,dc=com" write
>
> So I would like to add a group,
>
>   cn=foo,ou=groups,dc=example,dc=com
>
> but not allow someone in ou=people,dc=example,dc=com to delete the DN
> after it is created.

man slapd.access(5), note the possibility to split write (w) into add (a)
and delete (z).

p.

References:
- OpenLDAP create children only
  - From: Derek Yarnell <derek@umiacs.umd.edu>

Prev by Date: OpenLDAP create children only
Next by Date: TLS issue with SLES11
Index(es):
- Chronological
- Thread