[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access to attribute only if certain conditions are fulfilled?


I'm building a member registry for a computer club. A user can have
the status 'active' or 'passive'. The latter meaning he/she didn't pay
the member fee.

If the status is 'active', the users should be able to change the
loginShell attribute on their object, but not if they're 'passive',
since part of turning the member into a 'passive' one is to set the
loginShell so the user can't login on the unix systems that will draw
their account information from LDAP.

Can I solve this with the access control of OpenLDAP?

One alternative would be to allow changes to loginShell only if the
request comes from inside our network, but I can't figure out how to
do that either.

Any ideas?

Erik Forsberg                 http://www.lysator.liu.se/~forsberg/
GPG/PGP Key: 1024D/0BAC89D9