Re: Emulating attribute enumeration

[Vladimir Dzhuvinov <vd@valan.net>]

Vladimir Dzhuvinov wrote:
> Hello again,
>
> Since the LDAP attribute spec (RFC4512) doesn't appear to support 
> enumerated types (probably for a good reason) I wanted to see whether 
> this could be imitated using OpenLDAP's access control mechanisms.
>
> I have a custom attribute "transactionCenterAccountStatus" which should 
> only have values "active", "suspended" or "closed".
>
> So I opened slapd.conf and defined the line
>
> access to attrs=transactionCenterAccountStatus    
>       val.regex="active|suspended|closed"
>
>     by set="user/transactionCenterRole & [admin]" write
>     by * read
>
> The "slaptest" command didn't complain, so then I restarted slapd. But 
> when I login as the designated user and try to set the attribute to one 
> of the three values I keep getting error 50 - "Insufficient access 
> rights". Clearly, I must be missing something, but I can't see what? :)

I did some further testing and here is a more exact description of my 
observations:


1. If I try to add a new "transactionCenterAccountAttribute" with 
matching value (e.g. "active", "suspended" or "closed") it gets 
successfully created;

2. If I try to add a new attribute with a non-matching value (e.g. "bad 
value") I get error 50;

3. If I try to set an existing matching attribute value to another 
matching value I get error 50;

4. If I try to set an existing non-matching attribute value to another 
matching value I also get error 50;

5. If I try to set an existing non-matching attribute value to another 
non-matching value I get error 50.


Basically, (1),(2) and (5) work as expected (to me), and (3) and (4) are 
the cases that bother me.

I use slapd 2.4.9 (Debian/sid).




Vladimir

--
Vladimir Dzhuvinov * www.valan.net * PGP key ID AC9A5C6C

Attachment: signature.asc
Description: OpenPGP digital signature