[Date Prev][Date Next] [Chronological] [Thread] [Top]

index on attribute in acl filter



Hi,

I am looking for a way to allow certain support individuals to unlock
ldap accounts that have been locked by too many failed auth attempts
(ppolicy), however I do not want them to be able to unlock accounts
that have been locked for administrative reasons.  I was assuming I
could use an ACL like the one below, since we lock an account for
administrative reasons with the same pwdAccountLockedTime value -

{6}to dn.subtree="cn=users,dc=company,dc=com"
filter=(!(pwdAccountLockedTime=000001010000Z)) by
group/groupOfUniqueNames/uniqueMember.exact="cn=user_admins,cn=groups,dc=company,dc=com"
write  by users read
{7}to dn.subtree="cn=users,dc=company,dc=com"
filter=(pwdAccountLockedTime=000001010000Z) by
group/groupOfUniqueNames/uniqueMember.exact="cn=super_user_admins,cn=groups,dc=company,dc=com"
 by users read

I know for a search with that filter, an index on pwdAccountLockedTime
would be beneficial, but would it help for an acl filter?

Does this seem like a reasonable approach?

Thanks in advance,

Al