Am Thu, 03 Mar 2011 13:30:09 +0000 schrieb Gervase Markham gerv@mozilla.org:
Hi,
Summary: is it possible to configure access control such that users to can add, but not delete, entries?
Details:
My planned schema has a branch:
ou=tags,dc=example,dc=com
The entries below this are like this:
objectClass=groupOfNames cn=sometagname member=<user dn 1> member=<user dn 2> member=<user dn 3> ...
I have worked out how to make it so users can only add and remove themselves from a tag:
access to dn.children="ou=tags,dc=example,dc=com" attrs=member,entry # Allow people to add and remove themselves from any other tag by dnattr=member selfwrite # Allow anyone to read by anonymous read
So far so good, but I would like authenticated users to be able to add new entries (tags), and add themselves as members to them, but _not_ to be able to delete tags.
Even better, the tag would be deletable, or even automatically removed, but only if the user removed their own name and there were no more members - i.e. it was empty. (I believe the member attribute is mandatory in groupOfNames, and I don't want it to be impossible for someone to remove their name because they are the only member!)
This is difficult, because as far as I can see the "write" permission does not distinguish between adding and deleting.
Can someone tell me if this is possible?
Yes this is possible, man slapd.access(5) in particular read on privileges, as an example: access to foo by foobar =ar
-Dieter