I'm working on this project: http://www.freeipa.org/page/V3/OTP
Users need to be able to create, edit and delete their own tokens. Each
token has an attribute: ipatokenOwner.
I attempted creating this ACL: (target =
"(objectClass=ipaToken)")(version 3.0; acl "token-add-delete"; allow
(add, delete) userattr = "ipatokenOwner#USERDN";)
After much debugging I found out this is impossible because of this:
Now, in the general case, I can very much understand why this shouldn't
be allowed by default. What alternatives are there with the current
code? Would 389DS be willing to accept a patch to enable this (with a
The general reason why this feature works in my case is that each object
created restricts the user, rather than granting new privileges. This
seems like a valid use case.