[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
index on attribute in acl filter
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: index on attribute in acl filter
- From: Al <afrunning@gmail.com>
- Date: Thu, 9 May 2013 14:18:55 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=4/57cI/b9WMdfuZFzOxPp9YF9cU9gFRWZdSylXK3j5I=; b=XomFsklfGUAcmkTp8yZEzcRvrwzcgLBjyTBrAe3m+yN8ujvDokDesG5thjtFPoo8kf Nwt3OALgGvb7RyT2/Xf9xxdRKAdWlfC8clGeePtjVnYAmaOmKjnWjumMIpg9S/d5xGho 2CpCProhgMuHlkqq2RascI5qJMeMe9/wdJI4tHbytXuQ+ctCQLFWaP99uZceB/iBd5y4 yrWxPruZ9TZfgALR46ebbo+Eq1tJJXOBw/bUcU2o2u9pSSqOHPn5f0yzUKV0bv3C3rcN 8BAo7AcaUM/YrgndHaTnXzDzuBa1kBF5yxIR7vEgkJPhsUrKxLDvqNKNufPifLu2MmmK S30g==
Hi,
I am looking for a way to allow certain support individuals to unlock
ldap accounts that have been locked by too many failed auth attempts
(ppolicy), however I do not want them to be able to unlock accounts
that have been locked for administrative reasons. I was assuming I
could use an ACL like the one below, since we lock an account for
administrative reasons with the same pwdAccountLockedTime value -
{6}to dn.subtree="cn=users,dc=company,dc=com"
filter=(!(pwdAccountLockedTime=000001010000Z)) by
group/groupOfUniqueNames/uniqueMember.exact="cn=user_admins,cn=groups,dc=company,dc=com"
write by users read
{7}to dn.subtree="cn=users,dc=company,dc=com"
filter=(pwdAccountLockedTime=000001010000Z) by
group/groupOfUniqueNames/uniqueMember.exact="cn=super_user_admins,cn=groups,dc=company,dc=com"
by users read
I know for a search with that filter, an index on pwdAccountLockedTime
would be beneficial, but would it help for an acl filter?
Does this seem like a reasonable approach?
Thanks in advance,
Al