Hi,
I would like to give a set of users the ability to create objects in the directory under a specific dn. It seems by reading the Admin Manual (specifically the bottom of 8.3.1) that setting the children attribute I can create correctly. I do not wish that they can remove the DN after they have added. So I can't just give them write access to the DN or that will give them the ability to delete. Am I missing something or is this just not possible with the current ACL structure.
Eg.
olcAccess: {9} to dn="ou=groups,dc=example,dc=com" attrs=children by dn.children="ou=people,dc=example,dc=com" write
So I would like to add a group,
cn=foo,ou=groups,dc=example,dc=com
but not allow someone in ou=people,dc=example,dc=com to delete the DN after it is created.
man slapd.access(5), note the possibility to split write (w) into add (a) and delete (z).
p.