>>> is it possible to restrict the creation of an entry to a specific >>> objectClass? If so, any hint or assistance would be very welcome. >>> >>> Thank you very much! >>> >>> Background information follows here: >>> >>> The attrs "@person" within the following acl statement seems to have no >>> effect (during creation). It seems to me attrs=entry already is >>> granting >>> access to "all values" (of all kind of attributes?): > >>@<objectClass name> is a shortcut for "all attributes required/allowed by >>objectClass 'name'". In order to restrict access to specific values of >>the objectClass attribute you need to use the form > >>access to attrs=objectClass val=person > ... > >>p. > > Many thanks for your answer. > > hmmm, so my usage of @<objectClass name> sound correct to me. Please have > a look into my original example: I wanted to restrict newly created entry > to be of class "person" only. Thus I restricted the attrs using @person, > in the hope that account-specific attributes (uid, serialNumber) are > denied. > > Nevertheless, the logs show that an account entry is created. > > The sample acl statement works as intended in case of a modify-operation > (ldapmodify'ing a single attribute of an existsing entry). During creation > the attr=entry seems to overwrite the oc-specific restriction or slapd > cannot differ between differen objectclasses and/or attributes during > entry creation (ldapadd)? > > If I'm wrong, could you please give me a short example acl set that denies > the creation of account but grants creation of person entries?
You need to use add_content_acl on See slapd.access(5) for "add" operation requirements and slapd.conf(5) (or slapd.config(5)) for details on "add_content_acl". p. > > Thanks again! > > > > -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
