SOLVED Re: Can I do this with OpenLDAP acls?

[Steve Sobol <sjsobol@JustThe.net>]

Tony Earnshaw wrote:

> There are many cases in which unprivileged (not necessarily but often
> bound) entities should can be configured not to be able to read details
> - think of homeTelephoneNumber, homeAddress, mobile etc. So "access to *
> by * would never do in my ACLs ;)

FWIW, I solved my dilemma. I changed my schema to specify that masterAccount 
contains a DN, which allowed me to do this:

access to attr=userPassword
        by self write
        by dnattr="masterAccount" write
        by * auth

This allows uid=xyz,ou=users,dc=justthe,dc=net to change the password for any 
account for which that DN is specified in the masterAccount attribute. I am 
able to change the password, for example, for my LDAP entry and one other LDAP 
entry for which my DN is specified as the masterAccount, but I can't change 
anyone else's password without binding as the rootdn.

If I need to give the masterAccount DN more access I can add ACL entries later, 
but my initial goal was to allow a master user to be able to change passwords 
for any of the accounts under his control.

I think this is a much more elegant solution than trying to use sets.

--
JustThe.net Internet & New Media Services, Apple Valley, CA   PGP: 0xE3AE35ED
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net
"someone once called me a sofa, but i didn't feel compelled to rush out and buy
slip covers." -adam brower * Hiroshima '45, Chernobyl '86, Windows 98/2000/2003