Hi all,

I'm not very experienced with ldap. I've been looking into the access controls documentation but I'm unsure on what the proper way to handle this is.

So let me expain what I want to accomplish: a user entry (posixAccount, password, givenName, ...) can update his own password by using the "self" keyword. All good there. But a user has some assets he owns. For example a host (in Common tree).

I want the user to be able to update one attribute of this host.
"self" keyword doesn't work here as the user doesn't bind to it.
So I added an owner attribute to the host and with that attribute I reference to the user.

Now I need some kind of "glue" to verify that the user is allowed to write to the attribute.

Do I need a filter? Wouldn't this just filter out a specific attribute? Or will it only filter entries based on the filter match?

In the latter case (which seems like a logical way for openldap to handle this) I would need:
- attr: to select what attribute the user access is modified
- filter: to only apply on the user his host
- by: variable definition for this clause to only apply on the binded user

I've read about dnattr but I'm unsure this is accomplishes what I want.

Could anyone share an example?

Thanks