Hi,

is it possible to restrict the creation of an entry to a specific objectClass? If so, any hint or assistance would be very welcome.

Thank you very much!

Background information follows here:

The attrs "@person" within the following acl statement seems to have no effect (during creation). It seems to me attrs=entry already is granting access to "all values" (of all kind of attributes?):

@<objectClass name> is a shortcut for "all attributes required/allowed by objectClass 'name'". In order to restrict access to specific values of the objectClass attribute you need to use the form

access to attrs=objectClass val=person ...

p.

---

#slapd version: HEAD (also REL_ENG_2_4)

---

#acl: access to dn.base="dc=example,dc=org" attrs=children by users write

access to dn.one="dc=example,dc=org" attrs=entry,@person by users write by anonymous auth

---

#ldapmodify -x -H "ldap://localhost:333/" -D "uid=user,dc=example,dc=org" -w user -f /tmp/example_operation.ldif

---

#/tmp/example_operation.ldif:

#add a person entry: dn: cn=hello,dc=example,dc=org changetype: add objectClass: person objectClass: top cn: hello sn: hello userPassword: hello

#add an account entry: dn: cn=world,dc=example,dc=org changetype: add objectClass: device objectClass: top cn:world serialNumber: 1

#both operation do succeed, see log below

---

#log (level 128): 5050a940 => access_allowed: result not in cache (userPassword) 5050a940 => access_allowed: auth access to "uid=user,dc=example,dc=org" "userPassword" requested 5050a940 => dn: [1] dc=example,dc=org 5050a940 => dn: [2] dc=example,dc=org 5050a940 => acl_get: [2] matched 5050a940 => acl_get: [2] attr userPassword 5050a940 => acl_mask: access to entry "uid=user,dc=example,dc=org", attr "userPassword" requested 5050a940 => acl_mask: to value by "", (=0) 5050a940 <= check a_dn_pat: users 5050a940 <= check a_dn_pat: anonymous 5050a940 <= acl_mask: [2] applying auth(=xd) (stop) 5050a940 <= acl_mask: [2] mask: auth(=xd) 5050a940 => slap_access_allowed: auth access granted by auth(=xd) 5050a940 => access_allowed: auth access granted by auth(=xd) 5050a940 => access_allowed: add access to "dc=example,dc=org" "children" requested 5050a940 => dn: [1] dc=example,dc=org 5050a940 => acl_get: [1] matched 5050a940 => acl_get: [1] attr children 5050a940 => acl_mask: access to entry "dc=example,dc=org", attr "children" requested 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0) 5050a940 <= check a_dn_pat: users 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop) 5050a940 <= acl_mask: [1] mask: write(=wrscxd) 5050a940 => slap_access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access to "cn=hello,dc=example,dc=org" "entry" requested 5050a940 => dn: [1] dc=example,dc=org 5050a940 => dn: [2] dc=example,dc=org 5050a940 => acl_get: [2] matched 5050a940 => acl_get: [2] attr entry 5050a940 => acl_mask: access to entry "cn=hello,dc=example,dc=org", attr "entry" requested 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0) 5050a940 <= check a_dn_pat: users 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop) 5050a940 <= acl_mask: [1] mask: write(=wrscxd) 5050a940 => slap_access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access to "dc=example,dc=org" "children" requested 5050a940 => dn: [1] dc=example,dc=org 5050a940 => acl_get: [1] matched 5050a940 => acl_get: [1] attr children 5050a940 => acl_mask: access to entry "dc=example,dc=org", attr "children" requested 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0) 5050a940 <= check a_dn_pat: users 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop) 5050a940 <= acl_mask: [1] mask: write(=wrscxd) 5050a940 => slap_access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access to "cn=world,dc=example,dc=org" "entry" requested 5050a940 => dn: [1] dc=example,dc=org 5050a940 => dn: [2] dc=example,dc=org 5050a940 => acl_get: [2] matched 5050a940 => acl_get: [2] attr entry 5050a940 => acl_mask: access to entry "cn=world,dc=example,dc=org", attr "entry" requested 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0) 5050a940 <= check a_dn_pat: users 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop) 5050a940 <= acl_mask: [1] mask: write(=wrscxd) 5050a940 => slap_access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access granted by write(=wrscxd)