[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL: access to all values vs. to value

> Gavin Henry wrote:
>>> is there a possibility to create an acl statement that grants access to any
>>> (unknown) value of an attribute but denys access to all values of the same
>>> attribute?
>> Can you explain that again?
> BTW: Your answer didn't find its way into the openldap-technical archive:
> http://www.openldap.org/lists/openldap-technical/201208/threads.html
> Nevertheless, please let me

Yes, sorry. There was an email issue today.

So you mean the attribute should always be present?

That is normally part of the objectClass definition, ie MUST.

I can't think of a way to do it with ACLs. Anyone else?

That's got me thinking. What if you have dynamic group based ACLs,
based on say 'o' and the owner of the entry has self write. They could
add another 'o' attribute putting themselves into an additional group
(depending on the objectclass)? I suppose you just make that attribute
read only.