[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access to attribute only if certain conditions are fulfilled?

--On Friday, September 17, 2004 10:18 PM +0200 Erik Forsberg <forsberg+openldap@lysator.liu.se> wrote:


I'm building a member registry for a computer club. A user can have
the status 'active' or 'passive'. The latter meaning he/she didn't pay
the member fee.

If the status is 'active', the users should be able to change the
loginShell attribute on their object, but not if they're 'passive',
since part of turning the member into a 'passive' one is to set the
loginShell so the user can't login on the unix systems that will draw
their account information from LDAP.

Can I solve this with the access control of OpenLDAP?

One alternative would be to allow changes to loginShell only if the
request comes from inside our network, but I can't figure out how to
do that either.


This is fairly easy to implement in OpenLDAP ACL's.

Something like:

access to "cn=accounts,cn=lysator,dc=liu,dc=se" filter=(status=active) attrs=loginShell
by <whatever> read

You might find this link useful:



-- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html