[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: allow users to add an auxiliary objectClass to their own entry

François Beretti writes:
> I want to allow users to add to their own LDAP entry a given auxiliary
> objectClass. But just this one, I don't want them to add other
> objectClasses. Is this possible ?

See 'man slapd.access':

 access to attrs=objectClass val=foobarClass  by self write  by * read

(Or replace 'by * read' with 'by * none break' if other access
statements further down should specify if other users have access.)

Note that they can also remove the object class from their entires, I
don't know a way to allow add but not remove.