[Date Prev][Date Next]
Re: realizing 4 eye principle - how?
Okay, I looked a bit more at the Administrators Guide but there is no
for the semantics of the values of this <priv> nonterminal.
Maybe someone could enlighten me? Or should I look at the source code
and maybe update the Administrators Guide documentation?
"Kurt D. Zeilenga" wrote:
> At 01:15 PM 1/23/01 +0100, Heiko Nardmann wrote:
> >I want to realize a 4 eye principle, i.e., one administrator can create
> >empty entries inside the LDAP tree but cannot set attributes;
> All entries have some set of attributes. In particular, they
> must have objectClass attribute as well as an attribute used
> for naming (technically, I guess, you could use objectClass
> for naming, but that would be odd).
> >the other
> >one can fill already existing
> >entries with attribute values but cannot create new ones.
> >Is this possible with OpenLDAP 2.0.7?
> In OpenLDAP, if you have permission to add X, you have permission
> to delete X. That is, "modify" rights allow add, modify, and
> delete operations to be performed.
> >I have looked at the access control stuff but to me it seems to be
> >impossible at the current state.
Heiko Nardmann (Dipl.-Ing.), email@example.com, Software Development
secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de),
Weidenauer Str. 223-225, D-57076 Siegen
Tel. : +49 271 48950-13, Fax : +49 271 48950-50