HI
Two ACL questions:
1) Is it possible to allow entry creation on a branch while preventing renaming? I understand I need to give write access to - attrs=chidren on parent - attrs=entry on created entry - attrs=<the mandatory attributes for object>
Last item include the attributes used for RHS part of the DN. That suggests renaming will always be possible
2) Is it possible to make some entry values mandatory for an entry creation? e.g.: I want to enforce specific values of objectClass
On Thu, May 02, 2013 at 07:21:25AM +0000, Emmanuel Dreyfus wrote:
- Is it possible to allow entry creation on a branch while preventing
renaming? I understand I need to give write access to
- attrs=chidren on parent
- attrs=entry on created entry
- attrs=<the mandatory attributes for object>
You could do this by preventing deletion of the entries. This could be done at sevaral levels:
1) Block deletion of children at the parent entry
2) Block deletion of the entry itself
3) Block deletion of attribute values used in the RDN
You will need to use the 'privilege' permission model rather than the 'level' model. See 'THE <ACCESS> FIELD' and 'OPERATION REQUIREMENTS' in the slapd.access manpage.
If you want to allow people to delete entries as well as add them, then you cannot prevent renaming...
- Is it possible to make some entry values mandatory for an entry creation?
e.g.: I want to enforce specific values of objectClass
You could put a filter on the ACL entry that grants create permission so that it only triggers where the proposed entry has the right object class:
# We only want inetOrgPerson objects here access to dn.onelevel="dc=people,dc=example,dc=org" filter="(objectClass=inetOrgPerson)" by dn.exact="uid=admin,dc=people,dc=example,dc=org" write by * break
You will probably want to enable add_content_acl for the database.
Further control can be exercised with DIT content rules. For example, this would prevent auxiliary classes being added to inetOrgPerson entries:
ditcontentrule ( 2.16.840.1.113730.3.2.2 NAME 'dcrPerson' DESC 'Limit aux classes allowed on inetOrgPerson entries' )
This would permit a locally-defined aux class and also require the mail attribute:
ditcontentrule ( 2.16.840.1.113730.3.2.2 NAME 'dcrPerson' DESC 'Control inetOrgPerson entries' AUX examplePerson MUST mail )
Note that ditcontentrule is part of schema rather than access control, so even the rootDN cannot normally bypass it.
More examples here:
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Andrew
openldap-technical@openldap.org