[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access to attribute only if certain conditions are fulfilled?

To: Erik Forsberg <forsberg+openldap@lysator.liu.se>, openldap-software@OpenLDAP.org
Subject: Re: Access to attribute only if certain conditions are fulfilled?
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Fri, 17 Sep 2004 14:09:36 -0700
Content-disposition: inline
In-reply-to: <871xh0myxj.fsf@forsberg.no-ip.info>
References: <871xh0myxj.fsf@forsberg.no-ip.info>

--On Friday, September 17, 2004 10:18 PM +0200 Erik Forsberg <forsberg+openldap@lysator.liu.se> wrote:

Hi!

I'm building a member registry for a computer club. A user can have
the status 'active' or 'passive'. The latter meaning he/she didn't pay
the member fee.

If the status is 'active', the users should be able to change the
loginShell attribute on their object, but not if they're 'passive',
since part of turning the member into a 'passive' one is to set the
loginShell so the user can't login on the unix systems that will draw
their account information from LDAP.

Can I solve this with the access control of OpenLDAP?

One alternative would be to allow changes to loginShell only if the
request comes from inside our network, but I can't figure out how to
do that either.


Erik,

This is fairly easy to implement in OpenLDAP ACL's.

Something like:

access to "cn=accounts,cn=lysator,dc=liu,dc=se" filter=(status=active) attrs=loginShell by <whatever> read

You might find this link useful:

<http://www.stanford.edu/services/directory/openldap/configuration/slapd-acl.html>

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- Access to attribute only if certain conditions are fulfilled?
  - From: Erik Forsberg <forsberg+openldap@lysator.liu.se>

Prev by Date: Re: Access to attribute only if certain conditions are fulfilled?
Next by Date: 500 entry limit
Index(es):
- Chronological
- Thread