Hello again,
Since the LDAP attribute spec (RFC4512) doesn't appear to support enumerated types (probably for a good reason) I wanted to see whether this could be imitated using OpenLDAP's access control mechanisms.
I have a custom attribute "transactionCenterAccountStatus" which should only have values "active", "suspended" or "closed".
So I opened slapd.conf and defined the line
access to attrs=transactionCenterAccountStatus val.regex="active|suspended|closed"
by set="user/transactionCenterRole & [admin]" write by * read
The "slaptest" command didn't complain, so then I restarted slapd. But when I login as the designated user and try to set the attribute to one of the three values I keep getting error 50 - "Insufficient access rights". Clearly, I must be missing something, but I can't see what? :)
Vlad
Vladimir Dzhuvinov wrote:
I did some further testing and here is a more exact description of my observations:
1. If I try to add a new "transactionCenterAccountAttribute" with matching value (e.g. "active", "suspended" or "closed") it gets successfully created;
2. If I try to add a new attribute with a non-matching value (e.g. "bad value") I get error 50;
3. If I try to set an existing matching attribute value to another matching value I get error 50;
4. If I try to set an existing non-matching attribute value to another matching value I also get error 50;
5. If I try to set an existing non-matching attribute value to another non-matching value I get error 50.
Basically, (1),(2) and (5) work as expected (to me), and (3) and (4) are the cases that bother me.
I use slapd 2.4.9 (Debian/sid).
Vladimir
openldap-software@openldap.org