[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL for only creating entry (SOLVED)
To Ace Suares, Pierangelo Masarati, and others of the list:
Pierangelo's suggestion for the ACL's to get the desired result of
allowing a UID to add new entries to a branch of the LDAP directory, but
also being denied access to read or write to them immediately after
creation (for the purpose of setting up an account registration form for
the general public to use to create accounts for themselves) has worked.
I had to figure out where to place his snippet, but after a short trial
and error period, this is my final and complete ACL entry for my
Directory:
<quote from='/etc/openldap/slapd.conf'>
access to attr=userPassword
by self write
by anonymous auth
access to dn.base="ou=users,dc=theoretic,dc=com"
by dn="uid=webregister,ou=services,dc=theoretic,dc=com" write
by anonymous auth
by users read
by self write
by * none
access to dn.children="ou=users,dc=theoretic,dc=com"
by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" =xcsw
</quote>
These ACL's allow 'uid=webregister' to create a new 'uid' entry under
'ou=users', but forbids it from seeing those entries (both those it
creates and already existing ones), even forbidding write access.
Thank you everyone!