Michael Ströder wrote:
> Howard Chu wrote:
>> Michael Ströder wrote:
>>> Maybe I'm doing something obviously wrong but I don't see it.
>>>
>>> I want to limit the right to reset a counter value solely to zero with this
>>> ACL directive:
>>>
>>> add_content_acl yes
>>> [..]
>>> access to
>>> dn.subtree="ou=ae-dir"
>>> filter="(aeStatus=0)"
>>> attrs=oathHOTPCounter
>>> val/integerMatch="0"
>>> by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write
>>> by * break
>>> [..]
>>>
>>> The modify request looks like this (old value is 10):
>>>
>>> dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
>>> changetype: modify
>>> replace: oathHOTPCounter
>>> oathHOTPCounter: 0
>>> -
>>>
>>> It seems the ACL does not trigger, without the val= part the modification is
>>> allowed (but to any value). I also tried other forms:
>>
>> Your ACL is set on a specific value. The replace op doesn't delete a specific
>> value, it deletes the entire attribute.
>
> Hmm, so for enforcing that a client can only set a specific value I'd have to
> use two ACLs:
> 1. One for deleting an arbitrary value -> =z (or =zr in my case) and
> 2. another one with val=0 -> =a.
>
> Right?
Thanks for pointing out the obvious.
This seems to work like I want:
# allow 2FA admins to add new value 0
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
val/integerMatch="0"
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =ra
by * break
# allow 2FA admins to delete any value
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =rz
by * none
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature