ACL entry creation restricted to objectClass

Wednesday, 12 September 2012

Hi,

is it possible to restrict the creation of an entry to a specific objectClass? If so, any
hint or assistance would be very welcome.

Thank you very much!

Background information follows here:

The attrs "@person" within the following acl statement seems to have no effect
(during creation). It seems to me attrs=entry already is granting access to "all
values" (of all kind of attributes?):

-----------------------
#slapd version: HEAD (also REL_ENG_2_4)

-----------------------
#acl:
access to dn.base="dc=example,dc=org" attrs=children
  by users write

access to dn.one="dc=example,dc=org" attrs=entry,@person
  by users write
  by anonymous auth

-----------------------
#ldapmodify -x -H "ldap://localhost:333/" -D
"uid=user,dc=example,dc=org" -w user -f /tmp/example_operation.ldif

-----------------------
#/tmp/example_operation.ldif:

#add a person entry:
dn: cn=hello,dc=example,dc=org
changetype: add
objectClass: person
objectClass: top
cn: hello
sn: hello
userPassword: hello

#add an account entry:
dn: cn=world,dc=example,dc=org
changetype: add
objectClass: device
objectClass: top
cn:world
serialNumber: 1

#both operation do succeed, see log below

-----------------------
#log (level 128):
5050a940 => access_allowed: result not in cache (userPassword)
5050a940 => access_allowed: auth access to "uid=user,dc=example,dc=org"
"userPassword" requested
5050a940 => dn: [1] dc=example,dc=org
5050a940 => dn: [2] dc=example,dc=org
5050a940 => acl_get: [2] matched
5050a940 => acl_get: [2] attr userPassword
5050a940 => acl_mask: access to entry "uid=user,dc=example,dc=org", attr
"userPassword" requested
5050a940 => acl_mask: to value by "", (=0)
5050a940 <= check a_dn_pat: users
5050a940 <= check a_dn_pat: anonymous
5050a940 <= acl_mask: [2] applying auth(=xd) (stop)
5050a940 <= acl_mask: [2] mask: auth(=xd)
5050a940 => slap_access_allowed: auth access granted by auth(=xd)
5050a940 => access_allowed: auth access granted by auth(=xd)
5050a940 => access_allowed: add access to "dc=example,dc=org"
"children" requested
5050a940 => dn: [1] dc=example,dc=org
5050a940 => acl_get: [1] matched
5050a940 => acl_get: [1] attr children
5050a940 => acl_mask: access to entry "dc=example,dc=org", attr
"children" requested
5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0)
5050a940 <= check a_dn_pat: users
5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop)
5050a940 <= acl_mask: [1] mask: write(=wrscxd)
5050a940 => slap_access_allowed: add access granted by write(=wrscxd)
5050a940 => access_allowed: add access granted by write(=wrscxd)
5050a940 => access_allowed: add access to "cn=hello,dc=example,dc=org"
"entry" requested
5050a940 => dn: [1] dc=example,dc=org
5050a940 => dn: [2] dc=example,dc=org
5050a940 => acl_get: [2] matched
5050a940 => acl_get: [2] attr entry
5050a940 => acl_mask: access to entry "cn=hello,dc=example,dc=org", attr
"entry" requested
5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0)
5050a940 <= check a_dn_pat: users
5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop)
5050a940 <= acl_mask: [1] mask: write(=wrscxd)
5050a940 => slap_access_allowed: add access granted by write(=wrscxd)
5050a940 => access_allowed: add access granted by write(=wrscxd)
5050a940 => access_allowed: add access to "dc=example,dc=org"
"children" requested
5050a940 => dn: [1] dc=example,dc=org
5050a940 => acl_get: [1] matched
5050a940 => acl_get: [1] attr children
5050a940 => acl_mask: access to entry "dc=example,dc=org", attr
"children" requested
5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0)
5050a940 <= check a_dn_pat: users
5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop)
5050a940 <= acl_mask: [1] mask: write(=wrscxd)
5050a940 => slap_access_allowed: add access granted by write(=wrscxd)
5050a940 => access_allowed: add access granted by write(=wrscxd)
5050a940 => access_allowed: add access to "cn=world,dc=example,dc=org"
"entry" requested
5050a940 => dn: [1] dc=example,dc=org
5050a940 => dn: [2] dc=example,dc=org
5050a940 => acl_get: [2] matched
5050a940 => acl_get: [2] attr entry
5050a940 => acl_mask: access to entry "cn=world,dc=example,dc=org", attr
"entry" requested
5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0)
5050a940 <= check a_dn_pat: users
5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop)
5050a940 <= acl_mask: [1] mask: write(=wrscxd)
5050a940 => slap_access_allowed: add access granted by write(=wrscxd)
5050a940 => access_allowed: add access granted by write(=wrscxd)

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007