Since the LDAP attribute spec (RFC4512) doesn't appear to support enumerated types (probably for a good reason) I wanted to see whether this could be imitated using OpenLDAP's access control mechanisms.
I have a custom attribute "transactionCenterAccountStatus" which should only have values "active", "suspended" or "closed".
So I opened slapd.conf and defined the line
access to attrs=transactionCenterAccountStatus val.regex="active|suspended|closed"
by set="user/transactionCenterRole & [admin]" write by * read
The "slaptest" command didn't complain, so then I restarted slapd. But when I login as the designated user and try to set the attribute to one of the three values I keep getting error 50 - "Insufficient access rights". Clearly, I must be missing something, but I can't see what? :)
I use slapd 2.4.9 (Debian/sid).
-- Vladimir Dzhuvinov * www.valan.net * PGP key ID AC9A5C6C
Description: OpenPGP digital signature