is it possible to restrict the creation of an entry to a specific objectClass? If so, any hint or assistance would be very welcome.
Thank you very much!
Background information follows here:
The attrs "@person" within the following acl statement seems to have no effect (during creation). It seems to me attrs=entry already is granting access to "all values" (of all kind of attributes?):
@<objectClass name> is a shortcut for "all attributes required/allowed by objectClass 'name'". In order to restrict access to specific values of the objectClass attribute you need to use the form
access to attrs=objectClass val=person
...
p.
Many thanks for your answer.
hmmm, so my usage of @<objectClass name> sound correct to me. Please have a look into my original example: I wanted to restrict newly created entry to be of class "person" only. Thus I restricted the attrs using @person, in the hope that account-specific attributes (uid, serialNumber) are denied.
Nevertheless, the logs show that an account entry is created.
The sample acl statement works as intended in case of a modify-operation (ldapmodify'ing a single attribute of an existsing entry). During creation the attr=entry seems to overwrite the oc-specific restriction or slapd cannot differ between differen objectclasses and/or attributes during entry creation (ldapadd)?
If I'm wrong, could you please give me a short example acl set that denies the creation of account but grants creation of person entries?
Thanks again!
is it possible to restrict the creation of an entry to a specific objectClass? If so, any hint or assistance would be very welcome.
Thank you very much!
Background information follows here:
The attrs "@person" within the following acl statement seems to have no effect (during creation). It seems to me attrs=entry already is granting access to "all values" (of all kind of attributes?):
@<objectClass name> is a shortcut for "all attributes required/allowed by objectClass 'name'". In order to restrict access to specific values of the objectClass attribute you need to use the form
access to attrs=objectClass val=person
...
p.
Many thanks for your answer.
hmmm, so my usage of @<objectClass name> sound correct to me. Please have a look into my original example: I wanted to restrict newly created entry to be of class "person" only. Thus I restricted the attrs using @person, in the hope that account-specific attributes (uid, serialNumber) are denied.
Nevertheless, the logs show that an account entry is created.
The sample acl statement works as intended in case of a modify-operation (ldapmodify'ing a single attribute of an existsing entry). During creation the attr=entry seems to overwrite the oc-specific restriction or slapd cannot differ between differen objectclasses and/or attributes during entry creation (ldapadd)?
If I'm wrong, could you please give me a short example acl set that denies the creation of account but grants creation of person entries?
You need to use
add_content_acl on
See slapd.access(5) for "add" operation requirements and slapd.conf(5) (or slapd.config(5)) for details on "add_content_acl".
p.
Thanks again!
openldap-technical@openldap.org
-
deepee@gmx.net -
Pierangelo Masarati