Hello
I have a tree where each ou has a manager attribute containing the DN of users allowed to perform some administrative operations:
dn: ou=foo,o=home ou: foo objectClass: netExampleService manager: uid=admin,ou=bar,o=home
I already have an ACL allowing managers to create and delete children in the ou where they are listed as manager:
access to dn.regex="(ou=.+,o=home)$" attrs=children by group/netExampleService/manager.expand="$1" write stop by * read stop
Now I would like to restrict the delete operation to children that do not have a given attribute set. i.e.: I want the ACL above to apply only on children matching the filter (!(locked=TRUE))
Is it possible?
If it is not, is there a way to give the addition right without giving the delete right?