Hallvard B Furuseth wrote:
Don't know, but try access controls to prevent user modifications,
then bypass that for the mods done by the overlay with
   <Modifications>.sml_flags |= SLAP_MOD_INTERNAL;

Maybe something like
   objectclass ( <oid> NAME 'jakusAddedAttrs' AUXILIARY
                 MAY ( managed_attr1 $ managed_attr2 $ ... ) )
   ...
   access to filter=(objectclass=jakusAddedAttrs) attrs=@jakusAddedAttrs
       by * read

The alternative would be to intercept update operations and return
(prohibited mod ? LDAP_UNWILLING_TO_PERFORM : SLAP_CB_CONTINUE).
 
Thanks for the idea Hallvard!
We were not able to make it work that way,but we find a temporary work around.
It would however be nice, maybe as a future solution in OpenLDAP,
to have a bit returned with each attribute to set a read only control.
Best regards,


Johan Jakus