Re: Allowing users to add, but not delete, entries?

[Dieter Kluenter <dieter@dkluenter.de>]

Am Thu, 03 Mar 2011 13:30:09 +0000
schrieb Gervase Markham <gerv@mozilla.org>:

> Hi,
> 
> Summary: is it possible to configure access control such that users
> to can add, but not delete, entries?
> 
> Details:
> 
> My planned schema has a branch:
> 
> ou=tags,dc=example,dc=com
> 
> The entries below this are like this:
> 
> objectClass=groupOfNames
> cn=sometagname
> member=<user dn 1>
> member=<user dn 2>
> member=<user dn 3>
> ...
> 
> I have worked out how to make it so users can only add and remove 
> themselves from a tag:
> 
> access to dn.children="ou=tags,dc=example,dc=com" attrs=member,entry
>    # Allow people to add and remove themselves from any other tag
>    by dnattr=member selfwrite
>    # Allow anyone to read
>    by anonymous read
> 
> So far so good, but I would like authenticated users to be able to
> add new entries (tags), and add themselves as members to them, but
> _not_ to be able to delete tags.
> 
> Even better, the tag would be deletable, or even automatically
> removed, but only if the user removed their own name and there were
> no more members - i.e. it was empty. (I believe the member attribute
> is mandatory in groupOfNames, and I don't want it to be impossible
> for someone to remove their name because they are the only member!)
> 
> This is difficult, because as far as I can see the "write" permission 
> does not distinguish between adding and deleting.
> 
> Can someone tell me if this is possible?

Yes this is possible, man slapd.access(5) in particular read on
privileges, as an example: access to foo by foobar =ar


-Dieter





-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E