[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL for only creating entry



I had to change the below ACL suggestion slightly, replacing your "exact"
with "base" (otherwise openldap wouldn't accept it), but no success. The
account webregister is not able to see any of the children entries in the
diorectory, as intended, but it is not able to create them at all. I get
permission denied's.

# Forbid all access to individual users by WebRegister
access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com"
 by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
 by * none

# Grant access to WebRegister to create new users,
#  even if it can't see them (above ACL)
access to dn.base="ou=users,dc=example,dc=com" attrs=children
 by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
 by * none