> Hi, > > is it possible to restrict the creation of an entry to a specific > objectClass? If so, any hint or assistance would be very welcome. > > Thank you very much! > > Background information follows here: > > The attrs "@person" within the following acl statement seems to have no > effect (during creation). It seems to me attrs=entry already is granting > access to "all values" (of all kind of attributes?):
@<objectClass name> is a shortcut for "all attributes required/allowed by objectClass 'name'". In order to restrict access to specific values of the objectClass attribute you need to use the form access to attrs=objectClass val=person ... p. > > ----------------------- > #slapd version: HEAD (also REL_ENG_2_4) > > ----------------------- > #acl: > access to dn.base="dc=example,dc=org" attrs=children > by users write > > access to dn.one="dc=example,dc=org" attrs=entry,@person > by users write > by anonymous auth > > ----------------------- > #ldapmodify -x -H "ldap://localhost:333/"; -D "uid=user,dc=example,dc=org" > -w user -f /tmp/example_operation.ldif > > ----------------------- > #/tmp/example_operation.ldif: > > #add a person entry: > dn: cn=hello,dc=example,dc=org > changetype: add > objectClass: person > objectClass: top > cn: hello > sn: hello > userPassword: hello > > #add an account entry: > dn: cn=world,dc=example,dc=org > changetype: add > objectClass: device > objectClass: top > cn:world > serialNumber: 1 > > #both operation do succeed, see log below > > ----------------------- > #log (level 128): > 5050a940 => access_allowed: result not in cache (userPassword) > 5050a940 => access_allowed: auth access to "uid=user,dc=example,dc=org" > "userPassword" requested > 5050a940 => dn: [1] dc=example,dc=org > 5050a940 => dn: [2] dc=example,dc=org > 5050a940 => acl_get: [2] matched > 5050a940 => acl_get: [2] attr userPassword > 5050a940 => acl_mask: access to entry "uid=user,dc=example,dc=org", attr > "userPassword" requested > 5050a940 => acl_mask: to value by "", (=0) > 5050a940 <= check a_dn_pat: users > 5050a940 <= check a_dn_pat: anonymous > 5050a940 <= acl_mask: [2] applying auth(=xd) (stop) > 5050a940 <= acl_mask: [2] mask: auth(=xd) > 5050a940 => slap_access_allowed: auth access granted by auth(=xd) > 5050a940 => access_allowed: auth access granted by auth(=xd) > 5050a940 => access_allowed: add access to "dc=example,dc=org" "children" > requested > 5050a940 => dn: [1] dc=example,dc=org > 5050a940 => acl_get: [1] matched > 5050a940 => acl_get: [1] attr children > 5050a940 => acl_mask: access to entry "dc=example,dc=org", attr "children" > requested > 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0) > 5050a940 <= check a_dn_pat: users > 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop) > 5050a940 <= acl_mask: [1] mask: write(=wrscxd) > 5050a940 => slap_access_allowed: add access granted by write(=wrscxd) > 5050a940 => access_allowed: add access granted by write(=wrscxd) > 5050a940 => access_allowed: add access to "cn=hello,dc=example,dc=org" > "entry" requested > 5050a940 => dn: [1] dc=example,dc=org > 5050a940 => dn: [2] dc=example,dc=org > 5050a940 => acl_get: [2] matched > 5050a940 => acl_get: [2] attr entry > 5050a940 => acl_mask: access to entry "cn=hello,dc=example,dc=org", attr > "entry" requested > 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0) > 5050a940 <= check a_dn_pat: users > 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop) > 5050a940 <= acl_mask: [1] mask: write(=wrscxd) > 5050a940 => slap_access_allowed: add access granted by write(=wrscxd) > 5050a940 => access_allowed: add access granted by write(=wrscxd) > 5050a940 => access_allowed: add access to "dc=example,dc=org" "children" > requested > 5050a940 => dn: [1] dc=example,dc=org > 5050a940 => acl_get: [1] matched > 5050a940 => acl_get: [1] attr children > 5050a940 => acl_mask: access to entry "dc=example,dc=org", attr "children" > requested > 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0) > 5050a940 <= check a_dn_pat: users > 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop) > 5050a940 <= acl_mask: [1] mask: write(=wrscxd) > 5050a940 => slap_access_allowed: add access granted by write(=wrscxd) > 5050a940 => access_allowed: add access granted by write(=wrscxd) > 5050a940 => access_allowed: add access to "cn=world,dc=example,dc=org" > "entry" requested > 5050a940 => dn: [1] dc=example,dc=org > 5050a940 => dn: [2] dc=example,dc=org > 5050a940 => acl_get: [2] matched > 5050a940 => acl_get: [2] attr entry > 5050a940 => acl_mask: access to entry "cn=world,dc=example,dc=org", attr > "entry" requested > 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0) > 5050a940 <= check a_dn_pat: users > 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop) > 5050a940 <= acl_mask: [1] mask: write(=wrscxd) > 5050a940 => slap_access_allowed: add access granted by write(=wrscxd) > 5050a940 => access_allowed: add access granted by write(=wrscxd) > > > > -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
