[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL for only creating entry (SOLVED)



To Ace Suares, Pierangelo Masarati, and others of the list:

Pierangelo's suggestion for the ACL's to get the desired result of
allowing a UID to add new entries to a branch of the LDAP directory, but
also being denied access to read or write to them immediately after
creation (for the purpose of setting up an account registration form for
the general public to use to create accounts for themselves) has worked.

I had to figure out where to place his snippet, but after a short trial
and error period, this is my final and complete ACL entry for my
Directory:


<quote from='/etc/openldap/slapd.conf'>

access to attr=userPassword
        by self write
        by anonymous auth

access to dn.base="ou=users,dc=theoretic,dc=com"
        by dn="uid=webregister,ou=services,dc=theoretic,dc=com" write
        by anonymous auth
        by users read
        by self write
        by * none

access to dn.children="ou=users,dc=theoretic,dc=com"
       by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" =xcsw

</quote>

These ACL's allow 'uid=webregister' to create a new 'uid' entry under
'ou=users', but forbids it from seeing those entries (both those it
creates and already existing ones), even forbidding write access.

Thank you everyone!