[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL to allow an attribute to be cleared, but not changed to something else?

To: openldap-technical@openldap.org
Subject: ACL to allow an attribute to be cleared, but not changed to something else?
From: Tim Gustafson <tjg@soe.ucsc.edu>
Date: Tue, 29 Jun 2010 14:56:58 -0700 (PDT)

Hi,

I'd like to let my account managers to clear the passwords of their managees in the event that an employee is no longer active.  So, I've got an ACL like this:

access to attrs=userPassword,sambaNTPassword
 by set="this/manager & user" write
 by * break

But I realized that the ACL also allows the manager to -change- a user's password, which I don't really want.

Is there some ACL that I can grant that would let a manager remove an attribute from another user's account, but not otherwise change the value of that attribute?

Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg@soe.ucsc.edu
831-459-5354

Follow-Ups:
- Re: ACL to allow an attribute to be cleared, but not changed to something else?
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Recover LDAP contents from binary files
Next by Date: Question about openldap and RFC documents
Index(es):
- Chronological
- Thread