I'm working on this project: http://www.freeipa.org/page/V3/OTP Users need to be able to create, edit and delete their own tokens. Each token has an attribute: ipatokenOwner. I attempted creating this ACL: (target = "ldap:///ipatokenuniqueid=*,cn=otp,dc=example,dc=com";)(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "token-add-delete"; allow (add, delete) userattr = "ipatokenOwner#USERDN";) After much debugging I found out this is impossible because of this: https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/acl/acllas.c#n1282 Now, in the general case, I can very much understand why this shouldn't be allowed by default. What alternatives are there with the current code? Would 389DS be willing to accept a patch to enable this (with a I_KNOW_WHAT_I_AM_DOING flag)? The general reason why this feature works in my case is that each object created restricts the user, rather than granting new privileges. This seems like a valid use case. Nathaniel -- 389-devel mailing list 389-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-devel
