Thank you for this information, Dieter and Michael! With "add_content_acl on" this works. I now use the following rule: access to dn.regex="^uid=([^,]+),cn=settings,dc=base$" filter="objectClass=foobar" attrs=objectClass value=foobar by dn.regex="^uid=$1,.*dc=base$$" write by * none access to dn.regex="^uid=([^,]+),cn=settings,dc=base$" filter="objectClass=foobar" attrs=objectClass by dn.regex="^uid=$1,.*dc=base$$" none by * +0 break access to dn.regex="^uid=([^,]+),cn=settings,dc=base$" filter="objectClass=foobar" attrs=entry,@foobar by dn.regex="^uid=$1,.*dc=base$$" write by * none Using the example below from Dieter would allow to also add other object classes which doesn't conflict with the MUST attributes of 'foobar'. Best regards Florian Am 30.06.2016 um 22:14 schrieb Dieter Klünter: > Am Wed, 29 Jun 2016 14:49:12 +0200 > schrieb Florian Best <best@univention.de>: > >> Hello, >> >> studying the slapd.access man page left me with an open question >> regarding the control of object creation: >> >> * How to allow the creation of objects with a specific objectclass >> only? >> >> For example, I want to prevent that an object with a object class >> other than 'foobar' is created. >> >> Assumming the following LDIF should be valid for an "add" operation: >> >>> dn: uid=anton1,cn=settings,dc=ldap,dc=base >>> objectClass: foobar >>> uid: anton1 > man slapd.conf(5) search for > - ditcontentrule > - add_content_acl > > and following access rules: > > access to dn.sub=cn=foo,o=bar > attrs=entry,@foobar > by * > > > -Dieter > -- Florian Best Open Source Software Engineer Univention GmbH be open Mary-Somerville-Str.1 28359 Bremen Tel.: +49 421 22232-0 Fax : +49 421 22232-99 best@univention.de http://www.univention.de Geschäftsführer: Peter H. Ganten HRB 20755 Amtsgericht Bremen Steuer-Nr.: 71-597-02876
Attachment:
signature.asc
Description: OpenPGP digital signature