Hallvard B Furuseth wrote:
Don't know, but try access controls to prevent user modifications, then bypass that for the mods done by the overlay with <Modifications>.sml_flags |= SLAP_MOD_INTERNAL;
Maybe something like objectclass ( <oid> NAME 'jakusAddedAttrs' AUXILIARY MAY ( managed_attr1 $ managed_attr2 $ ... ) ) ... access to filter=(objectclass=jakusAddedAttrs) attrs=@jakusAddedAttrs by * read
The alternative would be to intercept update operations and return (prohibited mod ? LDAP_UNWILLING_TO_PERFORM : SLAP_CB_CONTINUE).
Thanks for the idea Hallvard! We were not able to make it work that way,but we find a temporary work around. It would however be nice, maybe as a future solution in OpenLDAP, to have a bit returned with each attribute to set a read only control. Best regards,
Johan Jakus