[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access to attribute only if certain conditions are fulfilled?



If the status is 'active', the users should be able to change the
loginShell attribute on their object, but not if they're 'passive',

I think you have to use a custom (web)application for it.

One alternative would be to allow changes to loginShell only if the
request comes from inside our network, but I can't figure out how to
do that either.

Maybe it points you to the right direction (OpenLDAP 2.2.17):

access to attrs=userPassword
        by self write
        by anonymous auth
        by * none
access to *
        by self write
        by users read
        by peername.ip=127.0.0.1 read
        by peername.ip=192.168.1.0%255.255.255.0 read