[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL changes for add/delete/rename and back-shell

To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.org>
Subject: RE: ACL changes for add/delete/rename and back-shell
From: "Howard Chu" <hyc@highlandsun.com>
Date: Tue, 8 Oct 2002 12:08:19 -0700
Cc: <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <5.1.0.14.0.20021008114106.02989d68@127.0.0.1>

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]

> At 11:41 AM 2002-10-08, Howard Chu wrote:
> >What does entry write access mean when adding an entry?
> This lets you set up an ACL that says someone can/cannot
> create a specific entry?
>
> Yes.
>   access to dn.one="ou=people,o=foo" attr=entry
> filter=(objectClass=person)
>     by dn="ou=manager,o=foo" write
>     by * read
>
> means that only "ou=manager,o=foo" can add person objects
> directly under "ou=people,o=foo" (assuming "ou=manager,o=foo"
> also has "children" write access to "ou=people,o=foo").

That all sounds good, but it also sounds like extra rules are now needed.
I.e., if I have an existing set of ACLs that grants

	access to dn="ou=people,o=foo" attr=children
	   by dn="ou=manager,o=foo" write
	   by * read

but I don't have the corresponding attr=entry ACL from above, then
"ou=manager,o=foo" can't actually create any children of "ou=people,o=foo" ?

It seems that attr=children ACLs are obsoleted by this change.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: ACL changes for add/delete/rename and back-shell
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- RE: ACL changes for add/delete/rename and back-shell
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: ACL changes for add/delete/rename and back-shell
Next by Date: RE: ACL changes for add/delete/rename and back-shell
Index(es):
- Chronological
- Thread