2 Oct
2007
2 Oct
'07
1:56 a.m.
Pierangelo Masarati wrote:
Why do you let users create their own objects?
Letting authorized users create objects is a legitimate policy. Restricting the form of a RDN by means of ACL is the only way an administrator can enforce well-behaved entry creation by those users.
For example, if you want that entries whose parent is "ou=People" can only use "uid" as the naming attribute, you can add a rule like [*]
access to dn="ou=People" attrs=children by users =w
access to dn.regex="^uid=[^,]+,ou=People$" attrs=entry by users =w
p.
[*] this set of rules is far from complete, so please don't just use it as is and complain because nothing works.
Nice example. I never thought of doing it this way. One for the docs I think.
Gavin.