Thank you for this information, Dieter and Michael! With "add_content_acl on" this works. I now use the following rule:
access to dn.regex="^uid=([^,]+),cn=settings,dc=base$"
filter="objectClass=foobar" attrs=objectClass value=foobar
by dn.regex="^uid=$1,.*dc=base$$" write
by * none
access to dn.regex="^uid=([^,]+),cn=settings,dc=base$"
filter="objectClass=foobar" attrs=objectClass
by dn.regex="^uid=$1,.*dc=base$$" none
by * +0 break
access to dn.regex="^uid=([^,]+),cn=settings,dc=base$"
filter="objectClass=foobar" attrs=entry,@foobar
by dn.regex="^uid=$1,.*dc=base$$" write
by * none
Using the example below from Dieter would allow to also add other object
classes which doesn't conflict with the MUST attributes of 'foobar'.
Best regards
Florian
Am 30.06.2016 um 22:14 schrieb Dieter Klünter:
> Am Wed, 29 Jun 2016 14:49:12 +0200
> schrieb Florian Best <[email protected]>:
>
>> Hello,
>>
>> studying the slapd.access man page left me with an open question
>> regarding the control of object creation:
>>
>> * How to allow the creation of objects with a specific objectclass
>> only?
>>
>> For example, I want to prevent that an object with a object class
>> other than 'foobar' is created.
>>
>> Assumming the following LDIF should be valid for an "add" operation:
>>
>>> dn: uid=anton1,cn=settings,dc=ldap,dc=base
>>> objectClass: foobar
>>> uid: anton1
> man slapd.conf(5) search for
> - ditcontentrule
> - add_content_acl
>
> and following access rules:
>
> access to dn.sub=cn=foo,o=bar
> attrs=entry,@foobar
> by *
>
>
> -Dieter
>
--
Florian Best
Open Source Software Engineer
Univention GmbH
be open
Mary-Somerville-Str.1
28359 Bremen
Tel.: +49 421 22232-0
Fax : +49 421 22232-99
[email protected]
http://www.univention.de
Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876
signature.asc
Description: OpenPGP digital signature
