[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticated users can create new entries but then only creator can modify entry

Michael Ströder wrote:
Howard Chu wrote:
Emmanuel Dreyfus wrote:
On Wed, Aug 06, 2008 at 09:38:52AM +0200, Pierangelo Masarati wrote:
Did you read slapd.access(5)?  Did you read the requirements for the
add and modify operations?  You need to add access to "entry" to
allow entry addition; you need to add access to attributes to allow
their modification.
Speaking about that: how to allow entry creation while maintaining
constraints on what is being added? ie: if you want users to add entries,
but not with a specific attribute set?

Currently there's no checking for this.

It would probably be a good idea to add it.

I'd really like to see support for that. I know a LDAP client which will be available for interop testing of DIT structure rules pretty soon. ;-)

Ciao, Michael.

Actually I was referring more to adding the ACL check; DIT structure rules are really not the answer to this enhancement request.

I commented on this on -devel some months ago - for fine-grained delegation of admin privileges, we really need to be able to control which users can create what type of entries under cn=config.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/