[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access Control Based On Values?

A little background:

I work at a university.  We determine which users participate in different
services we offer through objectClasses.  For example, if a user belongs
to the objectClass "apuREZnet", the user is a participant in the on-campus
resident network and will have certain fields defined in their entry for
this purpose.

I am looking for a way for administrative users to be able to add and
remove specific objectClasses without adding or removing others.  So, I
would like administrators to be able to add and delete "objectClass:  
apuREZnet", but not add and delete "objectClass: posixAccount".  It
appears that I must give access to the "objectClass" attribute in it's
entirety or not at all.

Is it possible to defined an access control in OpenLDAP that restricts
based on value?  What might a rule look like for that?

- Christoph