(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Access Control : (Answer) How do I give modify/delete permissions to an entry's creator only?
Entry creation/deletion requires write access to the children pseudo-attribute of the entry's parent and to the entry pseudo-attribute of the entry itself. Modifications to an entry require write access to the attributes that are to be modified. In general, one wants to give some identity the permission to create/delete entries, and some other identity the permission to modify the entry's values. Typically, a set of identities may have the permission to add/modify/delete entries; in this example, let's assume that a group of users, "cn=foo,ou=Groups,dc=example,dc=com" can add entries immediately below a certain entry, "cn=bar,ou=Stuff,dc=example,dc=com". However, we want only the entry's creator to be allowed to modify and delete it. This can be easily obtained by means of sets.

First, let's give the group write access to the parent's children pseudo-attribute: 

        access to dn.exact="cn=bar,ou=Stuff,dc=example,dc=com" attrs=children
                by group.exact="cn=foo,ou=Groups,dc=example,dc=com" write
No other permissions are required, because the children pseudo-attribute is not required for other purposes.

Now, let's give the creator the permission to modify/delete the entries: 

        access to dn.onelevel="cn=bar,ou=Stuff,dc=example,dc=com" attrs=entry,@extensibleObject
                by set="this/creatorsName & user" write
                by * read
Note that access is given to the entry pseudo-attribute as well as to all the regular attributes, as indicated by @extensibleObject, i.e. to all the attributes required/allowed by the extensibleObject objectClass (all).
The set form of the <by> clause is matched when the user (the identity that's requesting access) is equal to the creatorsName value of the object this (the target).
Also, note that the last <by> clause gives read access to all; this is required, because read access to the entry pseudo-attribute of an entry is also required by the search operation to return an entry.
If all is required is to match the creatorsName, the use of sets can be saved by using the dnattr clause.

So, this pair of ACLs 

        access to dn.base="dc=example,dc=com" attrs=children
                by users write
 
        access to dn.onelevel="dc=example,dc=com"
                by dnattr=creatorsName write
                by * read
allows all users permission to create children of "dc=example,dc=com", but only gives the entry's creator write (i.e. modify and delete) permissions.

The use of sets as described above, however, may allow more expressive semantics.

[Append to This Answer]
Previous: (Answer) How do I allow entry creation?
Next: (Answer) What are the tips for using regular expressions in ACLs?
This document is: http://www.openldap.org/faq/index.cgi?file=1140
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org