[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: restricting attributes to become RDN , which objects are created

To: ando@sys-net.it
Subject: Re: restricting attributes to become RDN , which objects are created
From: Gavin Henry <ghenry@suretecsystems.com>
Date: Tue, 02 Oct 2007 09:56:24 +0100
Cc: arunachalamp@huawei.com, openldap-software@openldap.org
In-reply-to: <33046.193.203.230.29.1191313991.squirrel@193.203.230.29>
Organization: Suretec Systems Ltd.
References: <001301c80410$e769af30$5219120a@china.huawei.com> <A81D9CCD83716CCE28565811@[192.168.1.3]> <33046.193.203.230.29.1191313991.squirrel@193.203.230.29>
User-agent: Thunderbird 2.0.0.6 (X11/20070728)

Pierangelo Masarati wrote:

Why do you let users create their own objects?
Letting authorized users create objects is a legitimate policy. Restricting the form of a RDN by means of ACL is the only way an administrator can enforce well-behaved entry creation by those users.
For example, if you want that entries whose parent is "ou=People" can only
use "uid" as the naming attribute, you can add a rule like [*]
access to dn="ou=People" attrs=children
    by users =w
access to dn.regex="^uid=[^,]+,ou=People$" attrs=entry
    by users =w
p.
[*] this set of rules is far from complete, so please don't just use it as
is and complain because nothing works.

Nice example. I never thought of doing it this way. One for the docs I think.

Gavin.

References:
- RE: restricting attributes to become RDN , which objects are created
  - From: Arunachalam Parthasarathy <arunachalamp@huawei.com>
- RE: restricting attributes to become RDN , which objects are created
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: restricting attributes to become RDN , which objects are created
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: restricting attributes to become RDN , which objects are created
Next by Date: Re: delete entries Delta syncrepl
Index(es):
- Chronological
- Thread