[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to allow an attribute to be cleared, but not changed to something else?

To: Tim Gustafson <tjg@soe.ucsc.edu>
Subject: Re: ACL to allow an attribute to be cleared, but not changed to something else?
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Wed, 30 Jun 2010 11:59:48 -0400 (EDT)
Cc: openldap-technical@openldap.org
In-reply-to: <196401865.335401277912224557.JavaMail.root@mail-01.cse.ucsc.edu>
References: <196401865.335401277912224557.JavaMail.root@mail-01.cse.ucsc.edu>
User-agent: Alpine 2.00 (SOC 1167 2008-08-23)

On Wed, 30 Jun 2010, Tim Gustafson wrote:

access to attrs=userPassword,sambaNTPassword filter=(localLockedAccount!=TRUE)
by self write
by anonymous auth
by * compare
Would that work? Can you stack "to attrs" with a "filter" statementlike that?


Yes, that's a supported syntax.

grant delete access, then the user shouldn't be able to bind.
Can you grant delete access to a particular attribute? I guess that wasmy original question.

Sure. That's documented as one of the supported <level> choices inslapd.access(5) man page. (Note that that same page has the explicitanswer to your earlier question; "The dn, filter, and attrs statements areadditive; they can be used in sequence to select entities the access ruleapplies to based on naming context, value and attribute typesimultaneously.") Perhaps a look through that is in order...

References:
- Re: ACL to allow an attribute to be cleared, but not changed to something else?
  - From: Tim Gustafson <tjg@soe.ucsc.edu>

Prev by Date: Re: ACL to allow an attribute to be cleared, but not changed to something else?
Next by Date: Re: LDAP proxy with local database
Index(es):
- Chronological
- Thread