Re: Copying entries without access to all attributes

[Nick Milas <nick@eurobjects.com>]

On 22/3/2012 3:06 ÎÎ, Nick Milas wrote:

> In case we have entries which include some (administrative) attributes 
> not visible or writable by a number of our administrator accounts, is 
> there a way to allow these administrator accounts to create new 
> entries which will forcibly include the aforementioned attributes, 
> e.g. by providing default values to them? Ideally, these default 
> attribute values should be dependent on the logged-in user 
> (administrator).
>
> {In practice, these admins will be using a GUI to copy existing 
> entries to new ones; we want to make sure that any 
> non-visible/non-writable attributes will also be copied.}
>
> Any hint regarding such an implementation would be appreciated.
>
> Of course, we could create a front-end application where such 
> operations would be executed with elevated privileges so as to ensure 
> writing of any required attributes, but it would be nice if this is 
> possible without resorting to such a solution (by using standard 
> openldap functionality).

Having researched this a bit further, I see we can make these 
administrative attributes simply readable (but not invisible), and use 
"add_content_acl=no" (which is the default) to allow creation of new 
entries with even non writable (by the respective administrator) attributes.

But is there a way to do it with invisible attributes too?

Please advise.

Thanks,
Nick