Hallvard B Furuseth wrote: > > Don't know, but try access controls to prevent user modifications, > then bypass that for the mods done by the overlay with > <Modifications>.sml_flags |= SLAP_MOD_INTERNAL; > > Maybe something like > objectclass ( <oid> NAME 'jakusAddedAttrs' AUXILIARY > MAY ( managed_attr1 $ managed_attr2 $ ... ) ) > ... > access to filter=(objectclass=jakusAddedAttrs) attrs=@jakusAddedAttrs > by * read > > The alternative would be to intercept update operations and return > (prohibited mod ? LDAP_UNWILLING_TO_PERFORM : SLAP_CB_CONTINUE).
Thanks for the idea Hallvard! We were not able to make it work that way,but we find a temporary work around. It would however be nice, maybe as a future solution in OpenLDAP, to have a bit returned with each attribute to set a read only control. Best regards, Johan Jakus
