Chris Ridd ([EMAIL PROTECTED]) wrote: > > There's a gap between the search and the first modify in which another DUA > could change the value in cn=Registry. You will need a strategy for coping > with that - perhaps retry the search/modify a couple of times and only fail > when all the attempts have failed.
One way to handle this is to perform user account management with the credentials of an administrative user who is in LDAP, and not the cn=directory manager entry. For example: dn: cn=useradmin,ou=admins,dc=foo,dc=com And set the access control to allow "useradmin" to manage account objects. All people who do account management know this user's password. When you perform a user add operation, you "lock the directory" by first changing the special admin user's password, then rebind with the new password and do your work and change the admin user's password back to what it was. If one of the other admins tries to add an account during this time, it will fail due to invalid credentials. BR, Mike
