[Date Prev][Date Next]
Re: ACL to allow an attribute to be cleared, but not changed to something else?
On Wed, 30 Jun 2010, Tim Gustafson wrote:
access to attrs=userPassword,sambaNTPassword filter=(localLockedAccount!=TRUE)
by self write
by anonymous auth
by * compare
Would that work? Can you stack "to attrs" with a "filter" statement
Yes, that's a supported syntax.
grant delete access, then the user shouldn't be able to bind.
Can you grant delete access to a particular attribute? I guess that was
my original question.
Sure. That's documented as one of the supported <level> choices in
slapd.access(5) man page. (Note that that same page has the explicit
answer to your earlier question; "The dn, filter, and attrs statements are
additive; they can be used in sequence to select entities the access rule
applies to based on naming context, value and attribute type
simultaneously.") Perhaps a look through that is in order...