Discussion:
ACL to deny deletes but allow entry creation.
Aravind Gottipati
2010-04-24 23:40:36 UTC
Permalink
Hi,

I am working on an application where we want to grant an admin account
the privileges to create new entries, but prevent any further changes
(or deletes) to the entry by the admin account. I have looked through
the docs and the faqs for this, and I am pretty sure that this is not
possible. The simile folks relate this with, is the ability to grant
insert privileges to an account in mysql, but restrict selects,
updates etc.. Before I tell the developers that this is not possible,
I wanted to check with you folks first. Have Any of you encountered
similar situations? How do others deal with cases like this?

Thanks in advance,

Aravind.
m***@aero.polimi.it
2010-04-25 02:00:15 UTC
Permalink
Post by Aravind Gottipati
Hi,
I am working on an application where we want to grant an admin account
the privileges to create new entries, but prevent any further changes
(or deletes) to the entry by the admin account. I have looked through
the docs and the faqs for this, and I am pretty sure that this is not
possible. The simile folks relate this with, is the ability to grant
insert privileges to an account in mysql, but restrict selects,
updates etc.. Before I tell the developers that this is not possible,
I wanted to check with you folks first. Have Any of you encountered
similar situations? How do others deal with cases like this?
man slapd.access(5), see in detail the "a" (add) and "z" privileges. To
determine what you need to apply the privileges, please carefully read the
section "OPERATION REQUIREMENTS".

p.
Aravind Gottipati
2010-04-25 02:23:38 UTC
Permalink
man slapd.access(5), see in detail the "a" (add) and "z" privileges.  To
determine what you need to apply the privileges, please carefully read the
section "OPERATION REQUIREMENTS".
Oh cool, thank you for the pointer! I have been going off
http://www.openldap.org/doc/admin24/access-control.html#The%20access%20to%20grant
and that only specified write. I should remember to cross check stuff
with the man pages more often.

Thanks again.

Aravind.

Howard Chu
2010-04-25 02:27:04 UTC
Permalink
Post by Aravind Gottipati
Hi,
I am working on an application where we want to grant an admin account
the privileges to create new entries, but prevent any further changes
(or deletes) to the entry by the admin account. I have looked through
the docs and the faqs for this, and I am pretty sure that this is not
possible. The simile folks relate this with, is the ability to grant
insert privileges to an account in mysql, but restrict selects,
updates etc.. Before I tell the developers that this is not possible,
I wanted to check with you folks first. Have Any of you encountered
similar situations? How do others deal with cases like this?
It is of course possible. Read the slapd.access(5) manpage. Note that wadd and
wdel are separate privileges.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Loading...