[Date Prev][Date Next] [Chronological] [Thread] [Top]

acls: restricting ADD operation with certain content/attributes

To: openldap-software@OpenLDAP.org
Subject: acls: restricting ADD operation with certain content/attributes
From: Andreas Hasenack <ahasenack@terra.com.br>
Date: Tue, 9 May 2006 10:26:22 -0300
Content-disposition: inline
User-agent: Mutt/1.5.11

(openldap-2.3.21)

I have this ACL:

access to dn.sub="ou=dhcp,dc=example,dc=com"
        attrs=children,entry,@dhcpService,@dhcpServer
        by group.exact="cn=DHCP Admins,ou=Group,dc=example,dc=com" write
        by group.exact="cn=DHCP Readers,ou=System Accounts,dc=example,dc=com" read
        by * read

I was under the impression that this would only allow the creation of
entries under ou=dhcp if they had dhcpService or dhcpServer object
classes, but this assumption seems wrong.

So, my question is: is there a way to restrict creation of entries so
that only entries of a certain type (objectClass) can be created? It
seems the entry pseudo-attribute allows the creation of any kind of
entry. The most I could restrict is the RDN of the entry by specifying
it in the <what> clause.

Prev by Date: ldapsearch returns nothing after upgrade from v2.0.27-11 to v2.3.20
Next by Date: Replication of LDAP extended operations
Index(es):
- Chronological
- Thread