[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: realizing 4 eye principle - how?



At 01:15 PM 1/23/01 +0100, Heiko Nardmann wrote:
>I want to realize a 4 eye principle, i.e., one administrator can create
>empty entries inside the LDAP tree but cannot set attributes;

All entries have some set of attributes.  In particular, they
must have objectClass attribute as well as an attribute used
for naming (technically, I guess, you could use objectClass
for naming, but that would be odd).

>the other
>one can fill already existing
>entries with attribute values but cannot create new ones.
>
>Is this possible with OpenLDAP 2.0.7?

In OpenLDAP, if you have permission to add X, you have permission
to delete X.  That is, "modify" rights allow add, modify, and
delete operations to be performed.

>I have looked at the access control stuff but to me it seems to be
>impossible at the current state.
>
>--
>Heiko Nardmann (Dipl.-Ing.), h.nardmann@secunet.de, Software Development
>
>secunet Security Networks AG - Sicherheit in Netzwerken
>(www.secunet.de),
>Weidenauer Str. 223-225, D-57076 Siegen
>Tel. : +49 271 48950-13, Fax  : +49 271 48950-50