[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to allow an attribute to be cleared, but not changed to something else?

> Probably depends on what your LDAP clients are looking for.

We use LDAP for all sorts of things - directory lookups, Linux/SunOS system authentication, web site authentication, and lots more.  Using an additional attribute, like "localLockedAccount" won't work because lots of our clients probably can't be configured to pay attention to that, and even if they could there are just too many different types of clients that change all the time, some of which I don't have any direct control over.  Somehow breaking the ability for a user to bind against the server is really the only way to go.

Which makes me wonder if I could modify the bind ACI to disallow binding to accounts who have the "localLockedAccount" attribute set...something like:

access to attrs=userPassword,sambaNTPassword filter=(localLockedAccount!=TRUE)
 by self write
 by anonymous auth
 by * compare

Would that work?  Can you stack "to attrs" with a "filter" statement like that?

> grant delete access, then the user shouldn't be able to bind.

Can you grant delete access to a particular attribute?  I guess that was my original question.

Tim Gustafson
Baskin School of Engineering
UC Santa Cruz