[Date Prev][Date Next] [Chronological] [Thread] [Top]

Filtering attribute values in ACLs.

To: <openldap-software@OpenLDAP.org>
Subject: Filtering attribute values in ACLs.
From: "Kenny Austin" <list-in-openldap-software@muspellsheim.net>
Date: Thu, 13 Dec 2001 16:14:35 -0600
Importance: Normal

First, forgive me if this has been asked.. I couldn't find it on the
archives (however my ability to find things is very poor).

I need to write ACLs (even better if ACIs would work) that can use filters,
not in the ACL matching, but as to rather or not the value could be written.

IE:
I want someone to be able to create objectclasses, but only
"objectClass=qmailUser".
I want someone to be able to add the mail attribute, but only if
"(mail=*@theirdomain.tld)".
It would be very sweet if it was possible to allow creation of an uid, only
if the uid value did not already exist elsewhere in the directory... however
I do not expect this.

I know it would be possible to filter on attributes that already exist, but
I need to filter  the attributes that they would be creating.  Is this
possible within OpenLDAP?  If not surely I am not the only person that has
needed this, what have you used as a solution?

I know I could write a front-end that has all of the restrictions built in,
but that way is very limiting.
I could even run two LDAP servers, the first with loose ACLs and then use a
script to verify the information then replicate the information if it
matches filters.  I have even started on this, but A) I dont want to
reinvent the wheel, and B) this way just flat out sucks.

Kenny Austin
kenny@muspellsheim.net

Prev by Date: Re: Fwd: Re: OpenLdap Fails with JNDI/SSL Connects
Next by Date: Problems with ldapadd
Index(es):
- Chronological
- Thread