Hello
I have a tree where each ou has a manager attribute containing the DN of users allowed to perform some administrative operations:
dn: ou=foo,o=home ou: foo objectClass: netExampleService manager: uid=admin,ou=bar,o=home
I already have an ACL allowing managers to create and delete children in the ou where they are listed as manager:
access to dn.regex="(ou=.+,o=home)$" attrs=children by group/netExampleService/manager.expand="$1" write stop by * read stop
Now I would like to restrict the delete operation to children that do not have a given attribute set. i.e.: I want the ACL above to apply only on children matching the filter (!(locked=TRUE))
Is it possible?
If it is not, is there a way to give the addition right without giving the delete right?
Emmanuel Dreyfus manu@netbsd.org wrote:
If it is not, is there a way to give the addition right without giving the delete right?
Following up myself:
Yes, it seems possible, according to the documentation in order to add, one need write access to - attrs=childrens of the parent
in order to delete, one need write access to - attrs=childrens of the parent - attrs=entry of the entry to be deleted
So it seems possible to do what I'm looking for, by using two ACL. Does something like this look reasonable?
access to dn.regex="(ou=.+,o=home)$" attrs=children by group/netExampleService/manager.expand="$1" write stop by * read stop
access to filter="(!(locked=TRUE))" attrs=entry by group/netExampleService/manager write stop by * read stop
openldap-software@openldap.org
-
manu@netbsd.org