Hello Michael,

Am 30.06.2016 um 11:29 schrieb Michael Ströder:

* ACL rules can't be bound to the ldap operation (search, auth, add,
> modify, delete, ...), you can only remove e.g. some of the permission
> bits (e.g. access to if-operation="search" ...)

Setting the privileges is IMO sufficient.

I see this differently. One example where this is useful would be the following:
I would like to e.g. add a rule at the very top of all ACL definitions:

"access to attrs=uidNumber value=0 by * none stop"

But this prevents that any other rule afterwards can make it *readable*.

Having something like:

"access to attrs=uidNumber value=0 if-operation="write,manage" by * none stop"

would solve this problem.

Best regards
Florian

-- 
Florian Best
Open Source Software Engineer
 
Univention GmbH
be open
Mary-Somerville-Str.1
28359 Bremen
Tel.: +49 421 22232-0
Fax : +49 421 22232-99

best@univention.de
http://www.univention.de

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876