Re: realizing 4 eye principle - how?

[Heiko Nardmann <h.nardmann@secunet.de>]

Okay, I looked a bit more at the Administrators Guide but there is no
documentation
for the semantics of the values of this <priv> nonterminal.

Maybe someone could enlighten me? Or should I look at the source code
and maybe update the Administrators Guide documentation?


"Kurt D. Zeilenga" wrote:

> At 01:15 PM 1/23/01 +0100, Heiko Nardmann wrote:
> >I want to realize a 4 eye principle, i.e., one administrator can create
> >empty entries inside the LDAP tree but cannot set attributes;
>
> All entries have some set of attributes.  In particular, they
> must have objectClass attribute as well as an attribute used
> for naming (technically, I guess, you could use objectClass
> for naming, but that would be odd).
>
> >the other
> >one can fill already existing
> >entries with attribute values but cannot create new ones.
> >
> >Is this possible with OpenLDAP 2.0.7?
>
> In OpenLDAP, if you have permission to add X, you have permission
> to delete X.  That is, "modify" rights allow add, modify, and
> delete operations to be performed.
>
> >I have looked at the access control stuff but to me it seems to be
> >impossible at the current state.
> >
> >--

--
Heiko Nardmann (Dipl.-Ing.), h.nardmann@secunet.de, Software Development
secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de),
Weidenauer Str. 223-225, D-57076 Siegen
Tel. : +49 271 48950-13, Fax  : +49 271 48950-50