[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Safely Allow Users to Write self Attributes



Daniel Howard wrote:
I had to do it this way:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
-
add: olcAccess
olcAccess: {2}to attrs=sshPublicKey,gecos by self write
-
add: olcAccess
olcAccess: {3}to * by dn="cn=admin,dc=example,dc=com" write by * read

You can not have, for example, multiple {2} so you have to delete and then
add.  In this case, I was using sudo to do the ldapmodify instead of admin, so
no risk of lockout.  What I am wondering is if this is at all like an atomic
transaction: either you can apply the whole LDIF at once or not ... if it
happens in one go you won't get locked out ...

In the mailing list archives I found a suggestion (no example) that you could
somehow insert a rule by number ...

Read this http://www.openldap.org/lists/openldap-technical/201603/msg00057.html

The LDAP spec already says that LDAPModify is atomic. Read the specs.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/