[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access to attribute only if certain conditions are fulfilled?

To: openldap-software@OpenLDAP.org
Subject: Access to attribute only if certain conditions are fulfilled?
From: Erik Forsberg <forsberg+openldap@lysator.liu.se>
Date: Fri, 17 Sep 2004 22:18:48 +0200
User-agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)

Hi!

I'm building a member registry for a computer club. A user can have
the status 'active' or 'passive'. The latter meaning he/she didn't pay
the member fee.

If the status is 'active', the users should be able to change the
loginShell attribute on their object, but not if they're 'passive',
since part of turning the member into a 'passive' one is to set the
loginShell so the user can't login on the unix systems that will draw
their account information from LDAP.

Can I solve this with the access control of OpenLDAP?

One alternative would be to allow changes to loginShell only if the
request comes from inside our network, but I can't figure out how to
do that either.

Any ideas?

\EF
-- 
Erik Forsberg                 http://www.lysator.liu.se/~forsberg/
GPG/PGP Key: 1024D/0BAC89D9

Follow-Ups:
- Re: Access to attribute only if certain conditions are fulfilled?
  - From: Bernhard Erdmann <be@berdmann.de>
- Re: Access to attribute only if certain conditions are fulfilled?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: renaming an entry referenced in another object
Next by Date: Re: Access to attribute only if certain conditions are fulfilled?
Index(es):
- Chronological
- Thread