Thank you for this information, Dieter and Michael!
With "add_content_acl on" this works. I now use the following rule:
access to dn.regex="^uid=([^,]+),cn=settings,dc=base$" filter="objectClass=foobar" attrs=objectClass value=foobar by dn.regex="^uid=$1,.*dc=base$$" write by * none access to dn.regex="^uid=([^,]+),cn=settings,dc=base$" filter="objectClass=foobar" attrs=objectClass by dn.regex="^uid=$1,.*dc=base$$" none by * +0 break access to dn.regex="^uid=([^,]+),cn=settings,dc=base$" filter="objectClass=foobar" attrs=entry,@foobar by dn.regex="^uid=$1,.*dc=base$$" write by * none
Using the example below from Dieter would allow to also add other object classes which doesn't conflict with the MUST attributes of 'foobar'.
Best regards Florian
Am 30.06.2016 um 22:14 schrieb Dieter Klünter:
Am Wed, 29 Jun 2016 14:49:12 +0200 schrieb Florian Best best@univention.de:
Hello,
studying the slapd.access man page left me with an open question regarding the control of object creation:
- How to allow the creation of objects with a specific objectclass
only?
For example, I want to prevent that an object with a object class other than 'foobar' is created.
Assumming the following LDIF should be valid for an "add" operation:
dn: uid=anton1,cn=settings,dc=ldap,dc=base objectClass: foobar uid: anton1
man slapd.conf(5) search for
- ditcontentrule
- add_content_acl
and following access rules:
access to dn.sub=cn=foo,o=bar attrs=entry,@foobar by *
-Dieter