[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to allow an attribute to be cleared, but not changed to something else?

On Wed, 30 Jun 2010, Tim Gustafson wrote:

access to attrs=userPassword,sambaNTPassword filter=(localLockedAccount!=TRUE)
by self write
by anonymous auth
by * compare

Would that work? Can you stack "to attrs" with a "filter" statement like that?

Yes, that's a supported syntax.

grant delete access, then the user shouldn't be able to bind.

Can you grant delete access to a particular attribute? I guess that was my original question.

Sure. That's documented as one of the supported <level> choices in slapd.access(5) man page. (Note that that same page has the explicit answer to your earlier question; "The dn, filter, and attrs statements are additive; they can be used in sequence to select entities the access rule applies to based on naming context, value and attribute type simultaneously.") Perhaps a look through that is in order...