[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to allow add/remove of a specific objectclass value?

Brandon Hume wrote:
I'm tuning my ACLs, and noting that we have several pieces of software
that require the presence of a specific objectclass.  Up to this point,
they have write access to the objectclass attribute and can add the
specific auxiliary class if needed and then modify the attributes that
come with it.

I'd like to pare down their access.  It'd be nice to be able to allow
them to add and remove the specific objectclass that they work with (in
this case, posixAccount) but not touch the other objectclasses they have
no business modifying (person, etc).

Can an ACL work at this fine-grained a level?  I'm going over the 2.4
docs and the FAQ-o-matic, but not coming across anything.  (Though I'm
certainly building a very nice "Ooo, I should do<x>  that way..."

Yes. Read slapd.access(5).

access to attrs=objectclass value=posixAccount
   by <someone> write

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/