Re: Authenticated users can create new entries but then only creator can modify entry

[Howard Chu <hyc@symas.com>]

Michael Ströder wrote:
> Howard Chu wrote:
> > Emmanuel Dreyfus wrote:
> > > On Wed, Aug 06, 2008 at 09:38:52AM +0200, Pierangelo Masarati wrote:
> > > > Did you read slapd.access(5)?  Did you read the requirements for the
> > > > add and modify operations?  You need to add access to "entry" to
> > > > allow entry addition; you need to add access to attributes to allow
> > > > their modification.
> > > Speaking about that: how to allow entry creation while maintaining
> > > constraints on what is being added? ie: if you want users to add entries,
> > > but not with a specific attribute set?
> > Currently there's no checking for this.
> > http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=4556
> >
> > It would probably be a good idea to add it.
>
> I'd really like to see support for that. I know a LDAP client which will
> be available for interop testing of DIT structure rules pretty soon. ;-)
>
> Ciao, Michael.
Actually I was referring more to adding the ACL check; DIT structure rules are 
really not the answer to this enhancement request.

I commented on this on -devel some months ago - for fine-grained delegation of 
admin privileges, we really need to be able to control which users can create 
what type of entries under cn=config.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/