Copying entries without access to all attributes

[Nick Milas <nick@eurobjects.com>]

Hi,

In case we have entries which include some (administrative) attributes 
not visible or writable by a number of our administrator accounts, is 
there a way to allow these administrator accounts to create new entries 
which will forcibly include the aforementioned attributes, e.g. by 
providing default values to them? Ideally, these default attribute 
values should be dependent on the logged-in user (administrator).

{In practice, these admins will be using a GUI to copy existing entries 
to new ones; we want to make sure that any non-visible/non-writable 
attributes will also be copied.}

Any hint regarding such an implementation would be appreciated.

Of course, we could create a front-end application where such operations 
would be executed with elevated privileges so as to ensure writing of 
any required attributes, but it would be nice if this is possible 
without resorting to such a solution (by using standard openldap 
functionality).

Thanks,
Nick