[Date Prev][Date Next] [Chronological] [Thread] [Top]

acls: restricting ADD operation with certain content/attributes



(openldap-2.3.21)

I have this ACL:

access to dn.sub="ou=dhcp,dc=example,dc=com"
        attrs=children,entry,@dhcpService,@dhcpServer
        by group.exact="cn=DHCP Admins,ou=Group,dc=example,dc=com" write
        by group.exact="cn=DHCP Readers,ou=System Accounts,dc=example,dc=com" read
        by * read

I was under the impression that this would only allow the creation of
entries under ou=dhcp if they had dhcpService or dhcpServer object
classes, but this assumption seems wrong.

So, my question is: is there a way to restrict creation of entries so
that only entries of a certain type (objectClass) can be created? It
seems the entry pseudo-attribute allows the creation of any kind of
entry. The most I could restrict is the RDN of the entry by specifying
it in the <what> clause.