Re: index on attribute in acl filter

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Thu, May 09, 2013 at 02:18:55PM -0400, Al wrote:

> I am looking for a way to allow certain support individuals to unlock
> ldap accounts that have been locked by too many failed auth attempts
> (ppolicy), however I do not want them to be able to unlock accounts
> that have been locked for administrative reasons.  I was assuming I
> could use an ACL like the one below, since we lock an account for
> administrative reasons with the same pwdAccountLockedTime value -
> 
> {6}to dn.subtree="cn=users,dc=company,dc=com"
> filter=(!(pwdAccountLockedTime=000001010000Z)) by
> group/groupOfUniqueNames/uniqueMember.exact="cn=user_admins,cn=groups,dc=company,dc=com"
> write  by users read
> {7}to dn.subtree="cn=users,dc=company,dc=com"
> filter=(pwdAccountLockedTime=000001010000Z) by
> group/groupOfUniqueNames/uniqueMember.exact="cn=super_user_admins,cn=groups,dc=company,dc=com"
>  by users read

Those ACIs control general read access - I assume you would
modify them to grant write access to just the
pwdAccountLockedTime attribute. In fact you may need to grant
'manage' access, as this is an operational attribute that is
not usually modified directly.

> I know for a search with that filter, an index on pwdAccountLockedTime
> would be beneficial, but would it help for an acl filter?

An index is very unlikely to make any difference to the ACL
you propose.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------