Re: Safely Allow Users to Write self Attributes

[Howard Chu <hyc@symas.com>]

Daniel Howard wrote:
> I had to do it this way:
>
> dn: olcDatabase={1}hdb,cn=config
> changetype: modify
> delete: olcAccess
> olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
> -
> add: olcAccess
> olcAccess: {2}to attrs=sshPublicKey,gecos by self write
> -
> add: olcAccess
> olcAccess: {3}to * by dn="cn=admin,dc=example,dc=com" write by * read
>
> You can not have, for example, multiple {2} so you have to delete and then
> add.  In this case, I was using sudo to do the ldapmodify instead of admin, so
> no risk of lockout.  What I am wondering is if this is at all like an atomic
> transaction: either you can apply the whole LDIF at once or not ... if it
> happens in one go you won't get locked out ...

> In the mailing list archives I found a suggestion (no example) that you could
> somehow insert a rule by number ...

Read this http://www.openldap.org/lists/openldap-technical/201603/msg00057.html

The LDAP spec already says that LDAPModify is atomic. Read the specs.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/