[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL entry creation restricted to objectClass

>>> is it possible to restrict the creation of an entry to a specific
>>> objectClass? If so, any hint or assistance would be very welcome.
>>> Thank you very much!
>>> Background information follows here:
>>> The attrs "@person" within the following acl statement seems to have no
>>> effect (during creation). It seems to me attrs=entry already is
>>> granting
>>> access to "all values" (of all kind of attributes?):
>>@<objectClass name> is a shortcut for "all attributes required/allowed by
>>objectClass 'name'".  In order to restrict access to specific values of
>>the objectClass attribute you need to use the form
>>access to attrs=objectClass val=person
>    ...
> Many thanks for your answer.
> hmmm, so my usage of @<objectClass name> sound correct to me. Please have
> a look into my original example: I wanted to restrict newly created entry
> to be of class "person" only. Thus I restricted the attrs using @person,
> in the hope that account-specific attributes (uid, serialNumber) are
> denied.
> Nevertheless, the logs show that an account entry is created.
> The sample acl statement works as intended in case of a modify-operation
> (ldapmodify'ing a single attribute of an existsing entry). During creation
> the attr=entry seems to overwrite the oc-specific restriction or slapd
> cannot differ between differen objectclasses and/or attributes during
> entry creation (ldapadd)?
> If I'm wrong, could you please give me a short example acl set that denies
> the creation of account but grants creation of person entries?

You need to use

add_content_acl on

See slapd.access(5) for "add" operation requirements and slapd.conf(5) (or
slapd.config(5)) for details on "add_content_acl".


> Thanks again!

Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano