Am Thu, 03 Mar 2011 13:30:09 +0000 schrieb Gervase Markham <[email protected]>:
> Hi, > > Summary: is it possible to configure access control such that users > to can add, but not delete, entries? > > Details: > > My planned schema has a branch: > > ou=tags,dc=example,dc=com > > The entries below this are like this: > > objectClass=groupOfNames > cn=sometagname > member=<user dn 1> > member=<user dn 2> > member=<user dn 3> > ... > > I have worked out how to make it so users can only add and remove > themselves from a tag: > > access to dn.children="ou=tags,dc=example,dc=com" attrs=member,entry > # Allow people to add and remove themselves from any other tag > by dnattr=member selfwrite > # Allow anyone to read > by anonymous read > > So far so good, but I would like authenticated users to be able to > add new entries (tags), and add themselves as members to them, but > _not_ to be able to delete tags. > > Even better, the tag would be deletable, or even automatically > removed, but only if the user removed their own name and there were > no more members - i.e. it was empty. (I believe the member attribute > is mandatory in groupOfNames, and I don't want it to be impossible > for someone to remove their name because they are the only member!) > > This is difficult, because as far as I can see the "write" permission > does not distinguish between adding and deleting. > > Can someone tell me if this is possible? Yes this is possible, man slapd.access(5) in particular read on privileges, as an example: access to foo by foobar =ar -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
