https://bugs.openldap.org/show_bug.cgi?id=9671
--- Comment #3 from Ondřej Kuzník ondra@mistotebe.net --- On Tue, Sep 07, 2021 at 08:30:27PM +0000, openldap-its@openldap.org wrote:
So what's the correct process. Using Relax Rules control. Seriously?
Especially this sucks given that access control for using controls does not really exist. In Æ-DIR I definitely don't want to grant manage privileges to admins doing normal data maintenance.
Hi Michael, then we should revisit the Behera draft and check where it makes sense for attribute to be marked NO-USER-MODIFICATION. I've already had to make changes to the local version where things were omitted: https://git.openldap.org/openldap/openldap/-/commit/2b007d01dbd924cf11f88c2f...
If we can agree and produce a newer draft, we can consider making changes in the ppolicy overlay. To the best of my knowledge, it is not possible to mutate schema based on configuration so making this an admin choice is not something we can do.
Sounds like adding manage permissions on the attribute (and maybe the "entry" attribute) could be a targeted way of allowing this operation?
Regards,