[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: restricting attributes to become RDN , which objects are created

Pierangelo Masarati wrote:
Why do you let users create their own objects?

Letting authorized users create objects is a legitimate policy. Restricting the form of a RDN by means of ACL is the only way an
administrator can enforce well-behaved entry creation by those users.

For example, if you want that entries whose parent is "ou=People" can only
use "uid" as the naming attribute, you can add a rule like [*]

access to dn="ou=People" attrs=children
    by users =w

access to dn.regex="^uid=[^,]+,ou=People$" attrs=entry
    by users =w


[*] this set of rules is far from complete, so please don't just use it as
is and complain because nothing works.

Nice example. I never thought of doing it this way. One for the docs I think.