[Date Prev][Date Next] [Chronological] [Thread] [Top]

Setting a whole subtree temporarily read-only based on an attribute?


I've been reading the slapd.access back and forth a few times in search for a way to make an ACL, which defines read (and only read) access to a whole subtree in the DIT based on the value of an attribute of the subtree root node.

I've found out how to do it for a named user by defining a group attribute on the node like this:

olcAccess: {2}to dn.regex="^.+,o=([^,]+),dc=example,dc=com" by group/NamedObject/denied.expand="o=$1,dc=example,dc=com" read by * +0 break

But this only denies the named DNs write access. What I want to to deny everybody write access to everything below the o=$1 RDN.

Conceptually I would also imagine, that this would belong in the <WHAT> clause of the ACL and not in the <WHO> clause, but I can't find any mechanism to do stuff like:

access to dn.<which-have-attr-set-to-readonly>.children by * read

What is the text-book way to do this?