Hallvard B Furuseth wrote:
Don't know, but try access controls to prevent user modifications,
then bypass that for the mods done by the overlay with
<Modifications>.sml_flags |= SLAP_MOD_INTERNAL;
Maybe something like
objectclass ( <oid> NAME 'jakusAddedAttrs' AUXILIARY
MAY ( managed_attr1 $ managed_attr2 $ ... ) )
...
access to filter=(objectclass=jakusAddedAttrs) attrs=@jakusAddedAttrs
by * read
The alternative would be to intercept update operations and return
(prohibited mod ? LDAP_UNWILLING_TO_PERFORM : SLAP_CB_CONTINUE).
Thanks for the idea Hallvard!
We were not able to make it work that way,but we find a temporary work around.
It would however be nice, maybe as a future solution in OpenLDAP,
to have a bit returned with each attribute to set a read only control.
Best regards,
Johan Jakus