[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to allow an attribute to be cleared, but not changed to something else?

To: Tim Gustafson <tjg@soe.ucsc.edu>
Subject: Re: ACL to allow an attribute to be cleared, but not changed to something else?
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Wed, 30 Jun 2010 10:11:43 -0400 (EDT)
Cc: openldap-technical@openldap.org
In-reply-to: <1855924984.319871277848618150.JavaMail.root@mail-01.cse.ucsc.edu>
References: <1855924984.319871277848618150.JavaMail.root@mail-01.cse.ucsc.edu>
User-agent: Alpine 2.00 (SOC 1167 2008-08-23)

On Tue, 29 Jun 2010, Tim Gustafson wrote:

access to attrs=userPassword,sambaNTPassword
by set="this/manager & user" write
by * break

But I realized that the ACL also allows the manager to -change- a user's password, which I don't really want.

Is there some ACL that I can grant that would let a manager remove an attribute from another user's account, but not otherwise change the value of that attribute?

Probably depends on what your LDAP clients are looking for. Some ideas tothink about:

grant delete access, then the user shouldn't be able to bind. (Assumingcompatible schema and applications.)


grant write access to some sort of "enabled" attribute:

* Perhaps you're using shadowAccounts, or an LDAP group that you couldallow managers to write to (perhaps with a set and/or regex that ensuresthat they only write/delete DNs relevant to their own employees), or it'dbe worth registering your own localAttributeManagerDisabled, or.....

Follow-Ups:
- Re: ACL to allow an attribute to be cleared, but not changed to something else?
  - From: Tim Gustafson <tjg@soe.ucsc.edu>

References:
- ACL to allow an attribute to be cleared, but not changed to something else?
  - From: Tim Gustafson <tjg@soe.ucsc.edu>

Prev by Date: fails to start ldaps://
Next by Date: Re: ACL to allow an attribute to be cleared, but not changed to something else?
Index(es):
- Chronological
- Thread