https://bugs.openldap.org/show_bug.cgi?id=9671
--- Comment #3 from Ondřej Kuzník <[email protected]> --- On Tue, Sep 07, 2021 at 08:30:27PM +0000, [email protected] wrote: > So what's the correct process. Using Relax Rules control. Seriously? > > Especially this sucks given that access control for using controls does not > really exist. In Æ-DIR I definitely don't want to grant manage privileges to > admins doing normal data maintenance. Hi Michael, then we should revisit the Behera draft and check where it makes sense for attribute to be marked NO-USER-MODIFICATION. I've already had to make changes to the local version where things were omitted: https://git.openldap.org/openldap/openldap/-/commit/2b007d01dbd924cf11f88c2f8dbba26b5ba8b593 If we can agree and produce a newer draft, we can consider making changes in the ppolicy overlay. To the best of my knowledge, it is not possible to mutate schema based on configuration so making this an admin choice is not something we can do. Sounds like adding manage permissions on the attribute (and maybe the "entry" attribute) could be a targeted way of allowing this operation? Regards, -- You are receiving this mail because: You are on the CC list for the issue.
