[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to allow an attribute to be cleared, but not changed to something else?

To: Tim Gustafson <tjg@soe.ucsc.edu>
Subject: Re: ACL to allow an attribute to be cleared, but not changed to something else?
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Thu, 01 Jul 2010 03:34:05 -0600
Cc: openldap-technical@openldap.org
In-reply-to: <1855924984.319871277848618150.JavaMail.root@mail-01.cse.ucsc.edu>
References: <1855924984.319871277848618150.JavaMail.root@mail-01.cse.ucsc.edu>
User-agent: Thunderbird 2.0.0.19 (X11/20090107)

Tim Gustafson wrote:

I'd like to let my account managers to clear the passwords of their managees in the event that an employee is no longer active.  So, I've got an ACL like this:

access to attrs=userPassword,sambaNTPassword
 by set="this/manager & user" write
 by * break

But I realized that the ACL also allows the manager to -change- a user's password, which I don't really want.

Is there some ACL that I can grant that would let a manager remove an attribute from another user's account, but not otherwise change the value of that attribute?

If by "manager" you mean the rootdn, it bypasses ACL checking. If youmean a normal user which application-wise is granted higher privilegesby ACLs, you need to make use of the granular "a" (add) and "z" (zap)privileges (their union is "w", write).


Something like

access to attrs=userPassword,sambaNTPassword
 by set="this/manager & user" z
 by * break

p.

Follow-Ups:
- Re: ACL to allow an attribute to be cleared, but not changed to something else?
  - From: Tim Gustafson <tjg@soe.ucsc.edu>

Prev by Date: Re: LDAP proxy with local database
Next by Date: Re: Adding Schema
Index(es):
- Chronological
- Thread