[Date Prev][Date Next]
Re: Access to attribute only if certain conditions are fulfilled?
--On Friday, September 17, 2004 10:18 PM +0200 Erik Forsberg
I'm building a member registry for a computer club. A user can have
the status 'active' or 'passive'. The latter meaning he/she didn't pay
the member fee.
If the status is 'active', the users should be able to change the
loginShell attribute on their object, but not if they're 'passive',
since part of turning the member into a 'passive' one is to set the
loginShell so the user can't login on the unix systems that will draw
their account information from LDAP.
Can I solve this with the access control of OpenLDAP?
One alternative would be to allow changes to loginShell only if the
request comes from inside our network, but I can't figure out how to
do that either.
This is fairly easy to implement in OpenLDAP ACL's.
access to "cn=accounts,cn=lysator,dc=liu,dc=se" filter=(status=active)
by <whatever> read
You might find this link useful:
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html